Call  for  entries! 

Don’t  forget  to  enter  your  great  network  project  by  the  May  10  deadline.  Go  online 
for  an  entry  form  and  nomination  details,  www.nwdocfinder.com/2436  ☆☆☆☆☆☆☆ 
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Higher  ed  fears 
wiretapping  law 


BY  JIM  DUFFY 

Institutions  of  higher  education 
are  up  in  arms  over  an  FCC  ruling 
on  wiretapping  they  say  could 
cost  them  billions  of  dollars  in  up¬ 
grades,  expose  their  networks  to 
more  attacks,  and  jeopardize 
rights  to  privacy  and  freedom  of 
speech. 

A  petition  in  the  U.S.  Court  of 
Appeals  for  the  District  of  Colum¬ 
bia  could  determine  if  higher- 
education  networks  —  and  per¬ 
haps  private  corporate  networks 
—  will  be  required  to  allow  wire¬ 
tapping  by  law  enforcement 
agencies  as  soon  as  next  year. 

Oral  arguments  will  be  heard 
late  this  week  in  the  petition  of 
the  American  Council  on  Educa¬ 
tion  (ACE)  vs.  the  FCC,  which  was 
submitted  in  mid-March  to  the 
court.The  petition  is  part  of  an  on¬ 
going  appeal  of  the  FCC’s  Sept.  23, 
2005,  ruling  that  extends  the  1994 
Communications  Assistance  for 
Law  Enforcement  Act  (CALEA) 
wiretapping  order  to  broadband 
Internet  providers  and  “intercon- 
nected”VolP  providers  next  year. 

The  higher-education  commu¬ 
nity  is  concerned  the  FCC  ruling 
does  not  distinguish  between  pub¬ 


lic  and  private  networks,  and 
could  potentially  extend  the 
CALEA  compliance  require¬ 
ment  to  university  and  enter¬ 
prise  networks. 

“For  university  networks,  the 
worst-case  scenario  .  .  .  would 
mean  potentially  replacing  every 
switch  and  router  in  our  system,” 
says  Wendy 
Wigen,  policy 
analyst  at 
Educause,  a 
nonprofit 
association 
promoting 
the  use  of  IT 
in  higher  edu¬ 
cation.  “Just 
for  the  hard¬ 
ware  cost, 
we’re  looking 
at  $400  to  $500  per  student, 
which  is  about  a  $7  billion  price 
tag  for  all  of  the  colleges  in  the 
United  States.” 

Last  fall’s  ruling  does  not  state 
specifically  that  institutions  of 
higher  learning  need  comply 
with  CALEA.  It  does  not  rule  that 
out  either.  Because  it  extends  the 
wiretapping  order  to  facilities- 
See  CALEA,  page  62 


I  How  carriers 
are  dealing  with 
CALEA.  Get  colum¬ 


nist  Johna  Til 
Johnson's  take. 
Page  32. 


WAN  Acceleration  Facilitates  Disaster  Recovery 


Security  finds 
new  footholds 


INTEROP 

I  LAS  VEGAS  I  APRIL  30-MAY  S,  2006  , — I 

Inside  news: 

■  Security  splash:  E-mail  security 
updates  set  from  SonicWall  and 
Mirapoint.  Page  7  Separately,  NAC 
vendors  offer  security  without 
disrupting  existing  environment.  Page 
24 

■  VoIP:  Avaya  to  offer  hosted  VoIP 
services.  Page  7 

■  Application  acceleration:  Vendors 
to  air  WAN  capacity,  mgmt.  packages. 

Page  8 

■  Wireless  wares  set  to  go: 

Bluesocket  and  Meru  Networks  aim 
to  bolster  bandwidth.  Page  10 

■  Kings  of  management:  Myriad 
vendors  set  to  deliver  new  application 
and  network  management  products. 

Page  10 

m  Testing  taking  place  within 
InteropLabs  focuses  in  on  NAC 
interoperability,  how  VoIP  products 
can  accommodate  existing  NAT  and 
wireless  links.  InteropLabs  coverage 
starts  on  page  42. 


BY  PHIL  HOCHMUTH 

Vendors  at  Interop  this  week  will 
continue  to  blur  the  line  between 
security  and  network  infrastruc¬ 
ture  products, with  Cisco,  Extreme, 
Enterasys  and  Foundry  expected 
to  launch  protection-oriented 
switches  and  routers. 

The  20th  anniversary  show  will 
also  feature  key  product  rollouts 
from  network  acceleration,  man¬ 
agement,  Volf?  security  and  wire¬ 
less  firms,  and  is  expected  to 
attract  18,000  attendees  and  330 
exhibitors. 

But  it  is  the  trend  of  melding 
security  and  infrastructure  that 
could  attract  the  most  attention. 
The  development  has  grown 


steadily  over  the  last  six  to  12 
months,  as  vendors  bought  or 
developed  security  features  for 
equipment  that  once  only  moved 
packets. 

Analysts  and  users  say  security  is 
too  important  to  have  as  just  a  ser¬ 
vice  bolted  onto  a  switched  or 
routed  network;  intrusion-detec¬ 
tion  and  -prevention  systems 
(IDS/IPS),  VPN,  encryption  and 
other  services  need  to  be  woven 
into  the  fabric  of  network  gear. 

Cisco  is  launching  several  up¬ 
grades  to  its  7200  Services  Aggre¬ 
gation  Router,  a  device  usually  de¬ 
ployed  in  the  main  office  of  an  en¬ 
terprise,  which  can  tie  together 
See  Switches,  page  8 


Boeing  turns  to  wireless  LAN 
when  a  key  part  goes  missing 


BY  PHIL  HOCHMUTH 

It’s  easy  to  lose  track  of  some¬ 
thing  in  the  world’s  biggest  build¬ 
ing  —  even  a  jumbo  jet  engine. 

Not  that  this  hap¬ 
pens  often  at  aero¬ 
space  giant  Boeing, 
but  the  company  re¬ 
cently  deployed  a 
wireless  LAN 

(WLAN)-based  loca¬ 
tion  tracking  system 
to  keep  tabs  on  all  its 
high-value  components  and  man¬ 
ufacturing  equipment. 

“In  the  factory,  the  ability  to 


InSite: 


Lessons 

from 

Leading 

Users 


locate  major  parts  and  tooling  on 
a  timely  basis  is  critical,”  says  Jim 
Farricker,  chief  network  engineer 
and  technical  fellow  at  Boeing. 
(Vaho  Rebassoo,  CTO,  comput¬ 
ing  and  network  operations,  at 
Boeing,  will  participate  in  an 
Interop  panel  on  the  future  of 
wireless  technology  on  May  4  at 
11:30  a.m.) 

Quickly  locating  parts  is  difficult 
at  times  in  Boeing’s  Everett, Wash., 
facility  where  737s,  747s,  767s  and 
777s  are  built.The  plant  covers  al¬ 
most  100  acres,  encloses  472  mil¬ 
lion  cubic  feet  and  is  the  largest 


Boeing's  tracking  system  keep  tabs 
on  key  parts  at  its  aircraft  facility. 


building  in  the  world  (by  volume) 
according  to  The  Guinness  Book 
of  World  Records.  The  site  is  also 

See  Boeing,  page  12 
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News 


7  E-mail  security  upgrades  due. 

7  Avaya  to  announce  service  for  hosted  VoIP. 

8  Web  app  and  WAN  acceleration  gear  set  to  launch  at  Interop. 

10  Net  management  vendors  add  application  intelligence. 
10  Wireless  vendors  target  corporate  networks. 

15  Microsoft  customers  warily  eye  management  plan, 

17  Cisco  updates  joint  CRM  system. 

17  EMC  expands  strategy,  targets  IBM. 

64  Intel,  AMD  chips  add  advanced  features  to  processor  packs. 


Net  Infrastructure 

21  Coffee  chain  brews  up  POS  gear. 

22  Kevin  Tolly:  A  second  look  at 
"Lucatel." 

22  Interop:  BorderWare  to  unify 
security  appliances. 

22  Phishers  employ  VoIP  in  new 
scam  model. 

24  SPECIAL  FOCUS:  NAC  will  make 
a  splash  at  Interop. 

Enterprise  Computing 

27  Microsoft  takes  aim  with 
Crossbow  mobile  technology. 

27  Hitachi  pitches  path  to 
virtualize  storage. 

27  Firefox  backers  aim  to 
“destroy"  Internet  Explorer. 

Application  Services 

29  Management  key  to  controlling 
desktop. 

30  Scstt  Bradner:  Mac  OS  X 

gets  wrong  kind  of  attention. 

30  Company  to  push  wikis  for 
corporate  collaboration. 


COOL 

TOOLS 

The  17-inch 
MacBook  Pro 
features  a  built-in 
iSight  videocamera 
and  Front  Row 
media  software. 
Page  38 


Service  Providers 

32  Johna  Till  Johnson: 

Wiretapping  the  WAN:  It's  the  law. 
32  XO  “launches''  a  familiar  name. 
34  Internet2's  network  to  get  a 
face-lift. 

Technology  Update 

37  Secure  SIP  protects 
VoIP  traffic. 

37  Steve  Blass:  Ask  Dr.  Internet. 

38  Mark  Gibbs:  A  PDF  reader, 
more  portable  apps. 

38  Keith  Shaw:  Cool  tools,  gizmos 
and  other  neat  stuff. 

Opinions 

40  On  Technology:  Virtualization: 
the  best  get  better. 

41  Jeff  Kaplan:  Bridging  the 
ITIL-SOA  gap. 

41  Linda  Musthaler:  Porn  purvey¬ 
ors  may  be  in  the  next  cubicle. 

66  BackSpin:  Darwin  and  spam, 

66  'Net  Bun:  Can't  find  a  domain 
name?  Here's  why. 


INTEROP  LABS 

EXPLORATION 


InteropLabs  is  the  experimen¬ 
tal  network  that’s  a  feature  of 
the  Interop  trade  show  in  Las 
Vegas  this  week. This  year, 
dozens  of  experienced  net¬ 
work  engineers  have  assem¬ 
bled  hundreds  ofVoiPnetwork 
access  control  and  open 
source  products  to  assess 
whether  they  can  coexist 
peacefully  on  a  corporate  net¬ 
work.  Network  World  has 
exclusive  access  to  the  prelim¬ 
inary  InteropLabs  testing. 


Network  World  Lab 
Alliance  member  Joel 
Snyder  examines  where 
the  reality  of  available 
NAC  products  hits  the 
network.  PAGE  42 


Tester  David  Newman  pin¬ 
points  where  new  VoIP 
gear  can  —  and  can’t  —  fit 
into  wireless  and  NAT- 
controlled  nets.  PAGE  44 


ONLINE  ONLY 

Network  World  Lab 
Alliance  member  Rodney 
Thayer  writes  about  the 
ins  and  outs  of  merging 
a  Microsoft-only  network 
with  a  pure  open  source 
one. 

ww.nwdocfinder.com/322 1 
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Catching  up  with  Nick  Carr 

Three  years  after  author  Nick  Carr 
shocked  the  industry  with  his 
groundbreaking  “IT  Doesn't 
Matter,"  he  speaks  out  about  the 
paper's  impact  —  and  what  the 
future  holds  for  IT  —  on  this 
week's  Network  World  Hot  Seat, 
DocFinder:  3240 

Storage  shenanigans 

USB  storage  devices  come  in  all 
shapes  and  sizes,  so  how  can  you 
tell  how  much  data  they  hold? 


Editor  Keith  Shaw  brings  in  a  Cool 
Tools  guest  to  play  the  "Guess  the 
Storage  Capacity  "game.  Looks  can 
be  deceiving. 

DocFinder:  3241 

Interop  2006  news 

If  you're  not  heading  to  Las  Vegas 
this  week,  you  can  still  get  all  the 
news  from  the  show  floor  at  our 
Interop  2006  news  page,  updated 
daily. 

DocFinder:  3242 


Online  help  and  advice 

Internet2  revamping  its 
backbone 

Alpha  Doggs,  our  new  blog  report¬ 
ing  on  the  future  of  networking  as 
seen  through  the  works  of  univer¬ 
sity  and  other  labs,  looks  at 
changes  to  the  Internet2  consor¬ 
tium's  backbone.  How  big  will  it  be, 
and  who  will  be  the  carrier? 
DocFinder:  3245 

Absolute  disk  encryption 

Columnist  James  Gaskin  looks  at 
WinMagic,  a  product  that  its  maker 
claims  can  protect  data  so  well  that 


a  laptop  stolen  at  a  hacker's  con¬ 
vention  won't  yield  any  information. 

DocFinder:  3249 

Which  is  the  best  database 
operating  system? 

A  reader  asks  Help  Desk  guru  Ron 
Nutter:  “NetWare  is  often  held  up 
as  the  best  x86  platform  for  file 
and  print,  because  of  its  architec¬ 
ture.  Is  there  similarly  an  operating 
system  that  is  architecturally  the 
best  for  a  dedicated  database 
server?" 

DocFinder:  3248 


Seminars  and  events 


Application  &  Content  Security:  Building  the  Defensible  Network 

Network  World's  one-day  Technology  Tour  event  is  full  of  best  practices 
and  the  latest  in  anti-spam,  anti-phishing,  anti-spyware,  anti-virus, 
encryption,  patch  automation  and  performance-auditing  technology. 
Qualify  to  attend  free  at: 

DocFinder:  3250 


BREAKING  NEWS 

Go  online  for  breaking  news  every  day.  DocFinder.  1001 

Free  e-mai  newsletters 

Sign  up  for  any  of  more  than  40  newsletters  on  key  network  topics. 

DocFinder.  1002 

What  is  DocFinder? 

We’ve  made  it  easy  to  access  articles  and  resources 
online.  Simply  enter  the  four-digit  DocFinder  number  in 
the  search  box  on  the  home  page,  and  you’ll  jump  directly 
to  the  requested  information. 
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'Net  neutrality  suffers  setback 

St  A  telecom  reform  bill  approved  by  a  U.S.  House  committee  last  week  drew  pre¬ 
dictable  reactions  from  proponents  and  opponents  of  ’Net  neutrality  —  as  the 
opponents  won  in  this  preliminary  round  of  what  promises  to  be  a  long  legislative 
process.The  bill  creates  a  national  franchise  process  for  such  carriers  as  Verizon  and 
AT&T,  which  are  rolling  out  TV  services  in  competition  with  cable  TV  Currently  new 
providers  of  cablelike  TV  services  must  get  approval  in  every  city  where  they  want 
to  provide  service. The  ’Net  neutrality  amendment  would  have  required  broadband 
providers  that  set  aside  bandwidth  for  such  services  as  IP  TV  to  offer  the  same  band¬ 


width  to  competing  services.  Supporters  of  ’Net  neutrality  say  that  without  a  strong 
law,  providers  could  block  content  from  competitors  or  charge  companies  extra  for 
their  content  to  have  top  priority 


AttachmateWRQ  snaps  up  NetlQ 

■  Attach mat eWRQ  last  week  said  it  will  acquire  NetlQ 
for  $495  million  to  create  a  stronger  company  offering 
enterprise  software  products.  NetlQ  sells  systems  and 
security  management  products  that  help  IT  adminis¬ 
trators  ensure  policy  compliance  and  manage  service 
levels.  AttachmateWRQ’s  products  let  administrators 
make  corporate  data  accessible  to  more  users  and 
also  manage  and  secure  enterprise  systems.The  com¬ 
bined  companies  will  offer  a  wider  array  of  products 
to  customers,  AttachmateWRQ  said.  Attachmate  and 
WRQ  merged  last  year  to  form  AttachmateWRQ,  a 
company  owned  by  a  group  of  investors.  At  the  time 
of  the  merger,  AttachmateWRQ  executives  hinted  the 
new  company  might  make  acquisitions.  The  NetlQ 
acquisition  follows  an  announcement  in  March  that 
AttachmateWRQ  acquired  OnDemand  Software  for 
an  undisclosed  amount. 

Avocent  to  acquire  LANDesk  group 

B  Infrastructure  management  vendor  Avocent  has 
agreed  to  buy  LANDesk  Group,  which  makes  desktop 
management  products,  for  $416  million.  LANDesk  offers 
a  range  of  software  products,  including  tools  for  desktop 
management  and  security  The  company  has  partner¬ 
ships  with  several  big  PC  makers,  including  Lenovo.  It 
was  once  part  of  Intel,  which  spun  it  out  into  a  separate 

COMPENDIUM  mmmmm 

Network  doom  no  gloom 

Network  visualization  tools  can  be  so  boring 
—  all  those  dull,  dull,  dull  lines. The  Cube  of 
Potential  Doom  solves  that  by  plotting  net¬ 
work  connections  onto  a  colorful  cube.  You 
know  you  want  it.  Find  out  more  at 
www.nwdocfinder.com/3255. 
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“Google  is  paying  $1  for  each 
new  Firefox  user  you  refer. . . . 

Now  you  can  advance  your 
ideals,  save  people  from  popups 
and  spyware  hell,  and  make 
some  serious  money.” 

Web  site  of  "Explorer  Destroyer”  a  group  dedicated  to  advancing 
Firefox  over  Internet  Explorer. 

See  the  story  at  www.nwdocfmder.com/3254 


company  in  2002.  The  LANDesk  acquisition  follows 
Avocent’s  purchase  of  Cyclades  earlier  this  year. 
Cyclades  specializes  in  Linux-based  management  tools. 

EDS  lands  $1.7B  pact  with  Kraft 

■  EDS  said  last  week  it  has  signed  a  seven-year,  $1.7  bil¬ 
lion  outsourcing  services  contract  with  food  and  bev¬ 
erage  behemoth  Kraft  Foods.  As  part  of  the  contract, 
EDS  will  provide  services  that  include  data  centers, 
hosting,  telecommunications,  workplace  support  ser¬ 
vices,  hardware  and  software.  EDS  will  manage  Kraft’s 
IT  infrastructure,  including  desktop  workstations  and 
servers  for  more  than  60,000  employees  worldwide. 
EDS  has  landed  a  couple  of  large  contracts  in  recent 
months.  It  was  part  of  the  massive  General  Motors  five- 
year,  multibillion-dollar  systems  integration  plan  that 
includes  Capgemini,Compuware  Covisint,HRIBM  and 
Wipro.  The  services  firm  also  inked  an  outsourcing 
contract  extension  with  the  U.S.  Navy  worth  an  esti¬ 
mated  $3  billion. 


NEC  victim  of  identity  theft 

B  NEC  is  the  victim  of  a  large-scale  piracy  ring  that  sold 
counterfeit  NEC  goods  and  NEC-branded  products  the 


TheGoodTheBadTheUgly 


DEC  founder  to  be  honored.  Gordon  college  in 

Wenham,  Mass.,  will  celebrate  the  accomplishments  of  Digital 
Equipment  founder  Ken  Olsen  on  June  17,  when  ground  will  be  broken 
for  a  new  science  and  technology  center  named  after  him  and  funded 
in  part  by  him.  Organizers  are  hoping  Olsen,  now  in  his  80s,  can  join 
what  is  expected  to  be  a  crowd  of  more  than  1,000  former  DEC 
employees  at  the  event. 


As  the  e-mail  bounces.  The  IT  costs  related  to  misdi¬ 
rected  bounce  e-mail  messages  is  nearly  $5  billion  annually,  according 
to  a  report  issued  last  week  by  a  messaging  security  vendor.  The 
report  says  roughly  4.5  billion  misdirected  bounce  messages  are  sent 
per  day.  Costs  associated  with  such  messages  relate  to  help  desk  calls 


Hackers  horn  in  on  Texas  network. 

The  University  of  Texas  at  Austin  announced  on  April  23 
(www.nwdocfinder.com/3253)  that  an  unknown  person  or  persons 
infiltrated  its  business  school's  computers  and  gained  unauthorized 
access  to  an  estimated  197,000  records.  “It  is  our  highest  priority  to 
notify  those  who  may  be  affected  by  this  security  breach,"  said  uni¬ 
versity  President  William  Powers,  Jr. 


company  does  not  manufacture.  The  company  is 
unsure  whether  the  goods  were  produced  by  factories 
working  under  contract  for  NEC  in  China  and  Taiwan 
or  came  from  an  outside  counterfeit-goods  syndicate, 
says  Yasuhito  Jochi,  a  spokesman  for  NEC  in  Tokyo. 
Counterfeit  keyboards,  writeable  CDs  and  DVDs,  and 
MP3  players  have  been  sold  unlawfully  under  the  NEC 
brand,  even  though  NEC  doesn’t  necessarily  manufac¬ 
ture  all  those  products,  he  said. The  company  does  not 
make  MP3  players,  for  example.  NEC  was  unable  to  esti¬ 
mate  the  value  of  the  pirated  goods  sold,  because  it 
hasn’t  ascertained  the  scope  of  the  problem  yet. 

Lucent  finalizes  Riverstone  deal 

■  Lucent  last  week  said  it  has  completed  its  $207  mil¬ 
lion  acquisition  of  certain  assets  of  metropolitan 
Ethernet  router  maker  Riverstone  Networks.  Last  month 
Lucent  outbid  rival  Ericsson  for  those  assets,  which  give 
Lucent  Ethernet  switching  and  routing  capabilities  it 
could  not  get  from  partner  Juniper  Networks.  Lucent 
says  Riverstone’s  carrier  Ethernet  platforms  augment  its 
IP  Multimedia  Subsystem  portfolio  by  letting  operators 
use  end-to-end,  Ethernet-based  architectures  that  sup¬ 
port  lower-cost  delivery  of  broadband  services. 
“Substantially  all”  of  Riverstone’s  400  employees  are 
now  Lucent  employees,  Lucent  said. 


Let  Internet  Security  Systems  stop 

network  threats  More  they  impact  your  business 


How  do  you  ensure  compliance  and  manage  costs  when  your  security  is  less  than  certain?  Even  "zero-day"  solutions  aren't  fast  enough  to 
protect  against  losses  once  an  Internet  attack  hits.  The  alternative  is  preemptive  security  from  Internet  Security  Systems.  Because  our  enterprise 
solutions  are  based  on  the  world's  most  advanced  vulnerability  research,  only  ISS  can  can  offer  preemptive  security  and  stop  threats  before  they 
impact  your  business.  So  why  rely  on  "reaction"  when  security  can  be  a  sure  thing? 


Need  proof?  Get  a  free  whitepaper,  Preemptive  Security:  Changing  the  Rules,  at  www.iss.net/proof  or  call  800-776-2362. 


InternetI  Security  I  Systems* 

Ahead  of  the  threat. 


NETWORK  &  HOST  INTRUSION  PREVENTION 


MANAGED  SECURITY  SERVICES 


VULNERABILITY  MANAGEMENT 


I've  decided  to  change  the  rules.  From  now  on,  threats  will  be  afraid  of  me 

Dynamic  Networking  from  AT&T  analyzes  real-time  traffic  over  the  AT&T  network  to 
predict  security  threats  before  they  become  security  breaches.  With  firewalls  and 
intrusion  protection,  the  AT&T  network  provides  Anthony  with  a  front  line  of  defense 
and  the  confidence  to  take  his  network  wherever  he  needs.  With  real-time  reporting 
of  security  issues,  potential  threats  are  on  Anthony's  radar,  but  not  on  his  network. 


. 

“7  ..  ' 

srtt.com/networking 


INTEROP 

LAS  VEGAS  |  APRIL  30-MAY  5,  2006 


5.1.06  •  www.networkworld.com  •  7 


~ "  ■■  '  ■  ■  j  Lnj  VCV3MJ  |  MrKIL  JU-fVlMT  D,  ZUUO  j . 

E-mail  security  upgrades  due 


BY  CARA  GARRETSON 

A  pair  of  veteran  security  vendors  will  use 
Interop  as  a  stage  for  announcing  new  and 
upgraded  products  designed  to  keep  cor¬ 
porate  messaging  systems  protected  from  a 
variety  of  threats. 

Following  its  February  purchase  of  Mail- 
Frontier,  SonicWall  on  Tuesday  plans  to  an¬ 
nounce  the  first  release  of  MailFrontier’s  e- 
mail  security  gateway  software  and  appli¬ 
ances  under  the  SonicWall  name.  Sonic- 
Wall  plans  to  expand  MailFrontier’s  target 
market  of  midsize  companies  to  include 
small-  and  midsize  businesses  (SMB),  says 
Gleb  Budman,  SonicWall’s  director  of  prod¬ 
uct  management  for  email  security 


BY  PHIL  HOCHMUTH 

Avaya  this  week  is  expected  to  announce 
at  Interop  a  hosted  IP  telephony  service, 
with  options  for  messaging  and  call  center 
applications. 

The  Avaya  On  Demand  service,  to  be 
hosted  by  the  company’s  channel  part¬ 
ners,  service  providers  or  Avaya,  will  pro¬ 
vide  IP  telephony,  messaging  and  call  cen¬ 
ter  applications. 

Starting  at  $25  per  month  per  user,  cus¬ 
tomers  will  be  able  to  receive  a  service 
based  on  Avayas  Communications  Man¬ 
ager  IP  PBX  platform,  with  700  call  fea¬ 
tures,  according  to  Avaya  product  descrip¬ 
tion  material.  The  service  supports  onsite 
IP  phones  and  gateways,  with  call  pro¬ 
cessing  and  public  switched  telephone 
network  (PSTN)  termination  in  the  host¬ 
ing  company’s  data  center.  Among  the 
North  American  providers  slated  to  offer 
the  service  are  XO  Communications, 
Sprint  and  Cross  Telecom,  according  to 
Avaya  documents. 

Customers  can  pay  an  additional  $5  per 
month  for  a  voice  mailbox  add-on.  For 
midsize  companies  looking  for  out¬ 
sourced  call  center  applications,  a 
Contact  Center  On  Demand  offering  will 
be  available  for  $50  to  $150  per  month  per 
agent.  The  hosted  service  provides  call 
routing,  a  self-service  voice-response  por¬ 
tal  for  customers,  and  reporting  services. 
Gateways,  IP  phones,  softphone  clients 
and  other  related  applications  and  soft¬ 
ware  are  provided  to  onsite  client 
machines. 

Avaya  plans  to  launch  MultiVantage  Ex¬ 
press  —  an  all-in-one  IP  PBX,  messaging 
server  and  gateway.  The  company  also 
plans  to  introduce  the  S8400  Media  Server 
—  a  Linux-based  blade  server  card  that 
slides  into  legacy  PBX  or  gateway  voice 


The  SonicWall  Email  Security  offerings 
protect  against  e-mail  threats  and  include 
auditing,  policy  management  and  regula¬ 
tory  compliance  fea¬ 
tures,  Budman  says. 

Slated  for  release  later 
this  month,  the  SonicWall 
SMB  Series  Email  Secu¬ 
rity  appliances  will  in¬ 
clude  additional  monitor¬ 
ing  features  and  a  new 
audit  function  that  re¬ 
ports  to  administrators 
what  happens  to  a  mes¬ 
sage  once  it  is  received,  Budman  says.These 
appliances  are  aimed  at  companies  with  50 


equipment,  converting  the  gear  to  IP 

MultiVantage  Express  comes  on  a  Linux- 
based  appliance  and  includes  Commun¬ 
ications  Manager  IP  PBX  software,  Audix 
voice  mail  and  desktop-management 
applications,  IP  softphone  support,  auto¬ 
attendant  features  and  limited  call  center 
capabilities  for  up  to  50  agents. 

The  S8400  Media  Server  card  fits  into 
either  a  Definity  Prologix  PBX  chassis  or  a 
G645  gateway  The  blade  runs  Avaya’s  Linux- 
based  operating  system  and  Communi¬ 
cation  Manager  3.1,  with  support  for  as 
many  as  900  phone  lines  and  400  IP  trunks. 
The  card  also  can  support  digital  phones 
still  attached  to  line  cards  in  the  Prologix  or 
G650  chassis,  as  well  as  any  IP  phone  or 
endpoint  from  Avaya  or  its  partners. 

Siemens  thinks  small 

Also  focusing  on  smaller  deployments  is 
Siemens,  which  is  set  to  launch  its  BizIP 
offering  for  small  offices.  The  product 
includes  SIP-based,  peer-to-peer  IP  phones 
and  a  broadband  router/firewall/VoIP  and 
PSTN  gateway;  the  BizIP  AD  20,  plugs  into  a 
broadband  cable  modem  or  DSL  link  and 
provides  Power  over  Ethernet  LAN  links  to 
the  BizIP410e  phones.The  BizIP  AD  20  also 
can  connect  to  an  ISDN  link  for  PSTN  con¬ 
nectivity  —  in  case  the  IP  connection  to  a 
provider  fails.  Call  control  and  PSTN  access 
over  the  IP  network  would  be  delivered  by 
a  VoIP  service  provider  offering  SIP-based 
trunks  and  direct  inward  dialing  number 
services  over  IP 

Separately,  Foundry  is  expected  to  launch 
a  Voice-over-WLAN  controller  and  access 
point  package.  The  IronPoint  Mobility 
Controller  is  an  appliance  that  attaches  to 
Foundry  IronPoint  200  access  points  and 
provides  QoS  and  fast  connection  hand-off 
services  for  voice-over-WLAN  clients.  ■ 


to  1,000  users  and  will  start  at  $1,395. 

The  SonicWall  Enterprise  Series  Email  Se¬ 
curity  appliances,  designed  for  companies 
with  1 ,000  to  5,000  users, 
are  set  to  be  released 
next  month,  priced  start¬ 
ing  at  $16,000.  They  will 
include  the  same  moni¬ 
toring  and  auditing  up¬ 
grades  as  the  SMB  ver¬ 
sion  and  are  based  on  a 
more  robust  hardware 
platform  than  their 
lower-end  counterparts. 

SonicWall  Email  Security  4.6  gateway 
software  is  available  now,  priced  at  $995  for 
as  many  as  50  users  and  $22,995  for  5,000 
or  more  users. 

With  its  MailFrontier  acquisition,  Sonic¬ 
Wall  is  entering  the  crowded  e-mail  secur¬ 
ity  arena  where  companies  are  struggling 
to  distinguish  themselves.  SonicWall  hopes 
a  robust  feature  set  and  simplified  adminis¬ 
tration  will  help  it  stand  out,  Budman  says. 

Ease  of  use  is  what  sold  Brian  Marko, 
server  operations  engineer  at  The  Villages,  a 
retirement  community  in  Florida,  to  choose 
MailFrontier’s  e-mail  security  appliance  last 
summer.  Marko  also  tested  appliances  from 
Barracuda,  IronPort  and  Symantec.’As  far  as 
ease  of  implementation  and  use,  the  other 
three  didn’t  seem  nearly  as  easy”  says 
Marko,  who  manages  about  2,000  in-boxes. 

He  said  he’s  concerned  when  a  vendor  is 
acquired  but  hasn’t  noted  any  changes  in 
support  or  the  quality  of  updates  for  the 
appliance  since  the  SonicWall  acquisition. 

During  the  second  half  of  the  year,  Sonic¬ 
Wall  plans  to  integrate  its  e-mail  security 
products  more  closely  with  its  other  net¬ 
work  security  offerings,  Budman  says. 

Mirapoint  on  Monday  plans  to  announce 
a  dedicated  reporting  appliance  designed 
to  give  administrators  and  executives  an 
understanding  of  their  companies'  messag¬ 
ing  trends,  such  as  the  amount  of  e-mail 
received  and  what  percentage  of  it  is  spam 
or  infected  by  a  virus. 

Called  Messaging  Reporter,  the  stand¬ 
alone  appliance  collects  information  gen¬ 
erated  by  Mirapoint’s  RazorGate  gateway 
e-mail  security  appliance  and  its  Message 
Server  mail  server  software  to  create  re¬ 
ports  that  can  span  up  to  a  10-year  period, 
company  officials  say.  With  these  reports, 
administrators  can  get  an  instant  view  of  a 
company’s  messaging  use  from  one  central 
spot  and  discern  trends  for  resource  plan¬ 
ning  purposes,  officials  say. 

The  new  tool  includes  a  message-retrieval 
function  that  searches  for  messages  based 
on  criteria  such  as  date  sent,  sender  and 
recipient,  and  reports  on  what  actions  were 
taken  on  the  message,  the  company  says. 

Messaging  Reporter  is  slated  for  availabil¬ 
ity  in  June,  pricing  has  not  yet  been 
announced.® 


Avaya  to  announce 
service  for  hosted  VoIP 


You’ve  got  security 

The  e-mail  security  market 
will  grow  from  $1.2  billion  this 
year  to 

$2.6  billion 

in  2009,  says  I  DC. 
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Dynamic  Networking  from 
AT&T  is  a  comprehensive 
approach  to  optimizing 
business  performance 
including  the  services  and 
intelligence  of  a  converged 
networking  environment. 


Converged  networking 
detivers: 


High-performing 
business  applications  for 
greater  value,  efficiency 
and  productivity. 


Information  delivered 
faster  to  the  people 
who  need  it  —  decision 
makers,  sales,  customers 
and  suppliers  —  for 
increased  collaboration 
and  responsiveness. 


Improved  control  across 
all  activities  in  the 
organization  to  identify 
changing  circumstances 
and  adjust  network 
performance  in  response. 


One  global  IP  network 
that  reaches  127  countries 
for  flexible  growth. 


Learn  how  Dynamic 
Networking  can  enable 
your  enterprise  by 
downloading  the  white 
paper  series,  Convergence, 
A  Four  Point  Framework,  at 
att.com/networking. 


The  new 
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Switches 

continued  from  page  1 

Cisco  integrated  Service  Routers  (ISR)  in  hundreds  of 
branch  sites.  It  is  built  to  handle  OC-3  and  higher 
channelized  T-l  andT-3  links. 

A  new  Network  Processing  Engine  G2  (NPE-G2) 
doubles  the  routing  performance  of  previous  NPE 
blades,  Cisco  says,  with  a  faster  processor  and  more 
memory.  This  allows  the  box  to  take  on  more  10S- 
based  security  functions  without  choking  through¬ 
put.  The  greater  capacity  is  meant  to  accommodate 
faster  boxes  that  may  run  in  enterprise  branches,  if 
customers  recently  upgraded  to  more  powerful  ISRs 
on  the  other  end. 

For  site-to-site  and  remote  access  VPNs,  Cisco  is 
scheduled  to  launch  the  VPN  Services  Adapter,  which 
allows  a  7200  router  to  process  IPSec  VPN  traffic  three 
times  faster  than  a  box  running  only  IOS  VPN  ser¬ 
vices,  the  company  says.  Encryption  standards  sup¬ 
ported  include  Triple  Data  Encryption  Standard  and 
Advanced  Encryption  Standard,  with  128-  to  256-bit 
key  encryption. 

To  fill  larger  WAN  pipes  with  the  added  processing 
power, Cisco  is  introducing  a  third  module  —  the  Fbrt 
Adapter  Jacket  Card,  which  can  add  as  much  as  50% 
bandwidth  to  the  router, Cisco  says.This  module  adds 
a  seventh  service  card  slot  to  the  device,  which  could 
be  plugged  with  another  channelized  dual  T-3  or 
another  OC-3  connection  into  the  router. 

“There  are  a  ton  of  these  out  there,”  regarding  the 
7200  router,  says  Zeus  Kerravala,  a  Yankee  Group  ana- 
lyst.“Anything  that  extends  the  life  of  these  routers  is 
good  for  investment  protecting  to  customers.”  For 
branch  offices, “the  ISR  has  been  one  of  the  best-sell¬ 
ing  products  Cisco  has  ever  had;  with  this  whole  con¬ 
cept  of  branch  office  consolidation,  these  upgrades 
to  the  7200  make  sense. 

Extreme  and  Enterasys  are  expected  to  announce 
plans  to  integrate  IDS/IPS  and  other  security  features 
into  their  network  gear,  while  Foundry  plans  to  an¬ 
nounce  a  massive-scale  data  center  switch  with 
packet  tracing  and  secure  routing  features.  Mean¬ 
while, Cisco  is  focusing  on  the  WAN,  with  an  upgrade 
to  its  7200  router  that  boosts  VPN,  firewall  and  overall 
WAN  routing  throughput  and  performance. 

Enterasys  is  putting  its  Dragon  IDS/IPS  modules 
into  its  Matrix  N  Series  backbone  switches.The  new 
Dragon-based  daughtercards  fit  into  expansion 
slots  in  individual  10/ 100/ 1000Mbps  line  cards  on 
switches  and  do  not  require  users  to  sacrifice  a  slot 
in  the  chassis,  the  vendor  says. 

Enterasys  is  late  to  the  game  of  plugging  IDS/IPS 
features  directly  into  a  core  switch  —  Cisco  has  done 
this  for  several  years,  and  recently  Nortel  announced 
such  support.  But  one  observer  says  Enterasys’ 
approach  —  putting  daughtercards  on  individual 
switch  blades  instead  of  one  central  processor  — 
may  be  superior. 

“The  Enterasys  design  is  more  elegant”  than  Cisco’s 
integrated  IDS/IPS  blade  for  the  Catalyst  6500,  says 
Jon  Oltsik.a  senior  analyst  at  the  Enterprise  Strategy 
Group.  Cisco’s  IDS  blade  occupies  a  chassis  slot,  and 
traffic  must  pass  through  the  switch  backplane  to  be 
processed  by  the  blade.“You  have  an  expensive  card 
taking  up  expensive  real  estate  inside  and  throttling 
bandwidth  —  not  a  good  combination.” 

The  Extreme  plan 

Extreme  plans  to  announce  partnerships  with 
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Internet  Security  System  (ISS),  CipherOptics  and 
StillSecure  —  IDS/IPS,  data  encryption  and  network 
access  control  (NAC)  vendors,  respectively  Users  of 
any  of  these  three  companies’  products  will  soon  be 
able  to  extend  security  functions  to  Extreme  switch¬ 
es  in  the  LAN  core  and  edge,  the  vendor  says. 

With  ISS,  Extreme  has  developed  a  protocol  that 
passes  information  between  ISS  IDS/IPS  appliances 
and  switches  running  the  XML-based  ExtremeXOS 
switch  operating  system.  An  ISS  device  sitting  in  a 
central  location  would  communicate  with  all  Ex¬ 
treme  switches  on  a  LAN,  tapping  into  traffic  flow 
data  on  switches.  Flows  of  suspicious  traffic  that  trig¬ 
ger  an  ISS  box  would  create  a  series  of  alert  mes¬ 
sages  between  the  Extreme  switches  and  ISS  device, 
ending  with  the  shutdown  of  the  port  on  which  the 
bad  traffic  was  detected. 

Extreme  and  ISS  are  expected  to  show  this  pack¬ 
age  at  Interop,  with  the  products  planned  for  release 
later  this  year.  The  development  work  between  ISS 
and  Extreme  is  not  exclusive.  In  addition,  other  ven¬ 
dors  are  expected  to  be  testing  similar  approaches 
with  switch-based  IPSs. 

With  CipherOptics  and  StillSecure,  Extreme  is  re 
branding  the  security  vendors’  encryption  products 
and  integrating  them  with  Extreme’s  Sentriant  secu¬ 
rity  traffic  management  appliance,  which  was 
announced  at  Interop  2005. 

CipherOptic’s  endpoint-to-endpoint  data  encryp¬ 
tion  device  sets  up  secure  transmission  between 
two  or  more  users.  Extreme  says  its  ExtremXOS 
switches  (working  with  the  Sentriant  appliance) 
will  detect  traffic  requiring  encryption  —  based  on 
preset  policies  —  and  call  in  the  CipherOptics  box 
to  scramble  the  bits.  Interoperability  will  be  similar 
with  StillSecure:  Extreme  switches  will  trap  unau¬ 
thenticated  users  at  the  switch  level  while  the 
StillSecure  device  examines  the  client  machine  for 
security  compliance.  The  Extreme  switch  will  then 
admit  or  deny  access  based  on  result  of  the 
StillSecure  NAC  device’s  scan. 

Focusing  on  the  data  center,  Foundry  is  expected  to 
announce  its  Netlron  MLX-32, which  takes  aim  at  10G 
Ethernet  port-density  leader  ForcelO  Networks. The 
device  supports  as  many  as  256  10G  Ethernet  con¬ 
nections,  1 ,280  Gigabit  Ethernet  ports  or  a  mix  of  the 
two  with  a  7.68Tbps  switch  fabric.  MPLS,  IPv4  and 
IPv6  are  supported  on  all  ports. 

“In  the  data  center  and  backbone,  we’re  seeing 
even  medium-sized  enterprises  moving  toward  10G,” 
says  Bobby  Johnson,  Foundry’s  CEO.  “It  makes  eco¬ 
nomic  sense  and  it  takes  any  conversation  about 
bandwidth  [issues]  off  the  table”  for  advanced  ser¬ 
vices,  such  as  VoIP  video  and  centralized  corporate 
applications. 

Besides  high  bandwidth,  Foundry  is  highlighting 
several  data  center  security  features  in  the  MLX- 
32.  These  include  Unicast  Reverse  Path  For¬ 
warding  (URFP)  and  Multi-Virtual  Router  For¬ 
warding  (Multi-VRF).URFP  lets  a  switch  check  the 
source  and  destination  address  in  each  packet 
against  Layer  3  route  tables  in  the  device  to  pre¬ 
vent  packet  spoofing,  Foundry  says. 

Multi-VRF  lets  users  create  virtual  routing 
domains  inside  a  box.  These  domains,  similar  to 
Layer  2  virtual  LANs,  segregate  traffic  flows.  Users 
also  can  install  external  firewalls  (external  to  the 
box)  or  internal  access  control  lists  to  regulate 
what  traffic  is  shared  among  virtual  router  seg¬ 
ments,  Foundry  adds.  ■ 


Vendors  air  WAN 
capacity  mgmt.  wares 

BY  PHIL  HOCHMUTH  AND  DENISE  DUBIE 

A  handful  of  vendors  are  expected  to  use  this  week’s  Interop  show  to 
launch  gear  designed  to  get  more  data  through  WAN  pipes  and  Web 
server  data  center  links  faster. 

Citrix  is  expected  to  air  its  largest-scale  application  front  end:  the  Net- 
Scaler  12000  platform.  Crescendo  plans  to  add  application-level  accel¬ 
eration  capabilities  to  its  TCP/SSL  offload  box.  Expand  is  adding  man¬ 
agement  software  tools  that  work  with  its  WX  line  of  application  accel¬ 
eration  products. 

Citrix’s  NetScaler  12000  box  is  designed  to  handle  as  many  as  275,000 
HTTP  transactions  per  second,  up  from  the  230,000  supported  by  the 
company’s  10000  series.The  12000  does  this  with  more  RAM  —  4GB  — 
and  a  new,  dual-Intel  CPU  and  dual  SSL  network  processor  architecture 
(past  NetScalers  were  single-processor  devices). 

The  NetScaler  12000  costs  $71,000  and  is  expected  to  be  available  at 
the  end  of  May 

The  NetScaler  12000  will  be  deployed  this  fall  on  the  Web  site  of  Major 
League  Baseball  (MLB).  Justin  Schaffer,  vice  president  and  chief  archi¬ 
tect  for  the  site,  says  he  looks  forward  to  getting  the  device  installed. 

“We’re  growing  at  a  pretty  ridiculous  pace,  so  we’ll  use  the  NetScaler 
12000  to  give  us  more  capacity  without  having  to  add  a  lot  more  hard¬ 
ware,”  Schaffer  says. 


The  last  track 

Application  acceleration  vendors  are  expected  to  launch  an 
array  of  gear  for  the  data  center  and  WAN  at  Interop. 


Vendor 

Product  description 

Citrix 

NetScaler  12000:  High-end  application  front  end  for  large  Web 
data  centers. 

Crescendo 

Maestro/ALP:  Application  front  end  for  midrange  and  large 
data  centers. 

Expand 

Accelerator  7940:  Data  center  appliance  for  managing  remote 
caching  devices. 

Juniper 

Central  Management  Software:  Management  software  for  its 
WX  line  of  WAN  accelerators. 

All  Web  traffic  handled  by  the  MLB  Web  site  now  goes  through  one 
of  a  dozen  NetScaler  9000  series  boxes. The  devices  are  used  to  ter¬ 
minate  browser  connections,  which  lets  administrators  pool  TCP 
connections  for  the  Sun  Web  servers  in  the  background.  Offloading 
this  TCP/IP  connection  setup  and  tear-down  from  the  servers  to  the 
Citrix  box  has  improved  response  time  and  reduced  server  strain, 
Schaffer  says. 

Separately  Crescendo  plans  to  debut  at  Interop  its  Application  Layer 
Processing  (ALP)  technology  which  the  company  says  will  let  its 
Maestro  boxes  speed  application  delivery  by  reducing  back-end  pro¬ 
cessing  bottlenecks,  among  other  things.  The  ALP  technology  com¬ 
bined  with  Crescendo’s  TCP  optimization,  SSL  acceleration  and  com¬ 
pression  features,  can  reduce  the  processing  time  for  applications  on 
back-end  systems  such  as  databases,  the  company  says. 

Loaded  onto  a  Maestro  box  in  front  of  a  data  center  Web  server  farm, 
ALP  uses  a  rules  engine  to  set  application-request  and  processing-time 
thresholds  that,  for  instance, don’t  allow  application  requests  into  a  pro¬ 
cessing  queue  unless  the  necessary  capacity  is  available. The  software 
also  identifies  requests  that  will  take  longer  to  process,  and  moves 
other,  lightweight  requests  ahead,  to  prevent  a  backlog  from  occurring 
and  causing  the  application  to  overload. 

The  integrated  Maestro/ ALP  product  is  slated  to  be  available  in  the 
fall  and  will  start  at  $52,000. 

—  Senior  Editor  Tim  Greene  contributed  to  this  report. 
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See  Why  More  &  More  Businesses  are  Switching  to  D-Link 
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around  the  world  at  each  of  our  venues.  D-Link's  switches  and  access 
points  met  our  needs  reliably  and  within  budget " 
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Proven  Enterprise-Level  Networking  is  Now  Within  Your  Reach 

Scalability.  Flexibility.  Affordability.  Think  your  business  has  nothing  in  common  with  the  World  Baseball 
Classic™?  Think  again. 

Seven  venues  in  14  days  with  a  traveling  press  corps  that  needed  to  meet  deadlines  in  every  time  zone 
around  the  world.  That  was  the  World  Baseball  Classic.  Major  League  Baseball  and  the  Major  League  Baseball 
Players  Association,  planners  of  the  World  Baseball  Classic,  chose  D-Link  xStack™  switches  and  A/rPremier™ 
wireless  access  points  to  make  it  possible  for  the  press  to  make  their  connections.  The  World  Baseball  Classic 
relied  on  D-Link@Work  Solutions  for  value  and  dependability.  You  can  too. 

Connections  Made.  Money  Saved.  Period. 
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D-Link@Work  Solutions: 
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infrastructure,  storage,  security 
and  VoIP  products  that  meet 
your  budget.  Not  enough? 

Place  your  trust  in  D-Link  and 
receive  a  free2  year  of  on-site 
support,  backed  by  NCR. 
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let  mgmt  vendors  add  app-centricity 


Management  tools  on  tap 

Vendors  are  rolling  out  their  latest  releases  to  help  network  managers  improve  performance 
and  increase  uptime. 


Company: 

elQNetworks 

eTelemetry 

Fluke  Networks 

Metalnfo 

Opsware 

Product: 

Enterprise  Security 
Analyzer  2.5 

Metron 

DTX-10GKIT-SK  for 
DTX-1800 

Meta  IP  5.7 

Network  Automation 
System  6.0 

Purpose: 

Security  event 
management 
software  that  can 
now  collect  logs  from 
messaging  and 
database  systems. 

IP  address 
management 
appliance  that  tracks 
bandwidth  usage 
across  users, 
departments  and 
groups. 

Set  of  tools  to  help 
network  managers 
test  whether  pairs  of 
cable  can  support 
performance 
expectations. 

IP  address 
management 
software  that 
manages  BIND  8  and 
BIND  9  services  and 
includes  more 
platform  support. 

Software  to 
automate  change  and 
configuration 
management  across 
network  devices,  now 
with  VPN,  VoIP  and 
wireless  support. 

Price: 

$8,000 

$35,000 

$2,500 

$5,000 

$20,000 

BY  DENISE  DUBIE 

Management  vendors  are  ready 
to  step  up  at  Interop  to  address 
customer  demands  for  more  pro¬ 
active  management  of  critical  net¬ 
work  services,  and  give  network 
teams  tools  to  better  assess  appli¬ 
cation  performance. 

Companies  such  as  Apparent 
Networks  and  NetScout  are 
among  the  network  management 
vendors  that  plan  to  make  an¬ 
nouncements  at  the  show,  and 
have  included  application-centric 
features  in  their  products  to  help 
customers  better  manage  critical 
business  services. 

While  monitoring  network  per¬ 
formance  remains  the  primary 
concern,  many  network  man¬ 
agers  also  need  to  understand 
how  applications  use  a  network 
and  how  the  services  it  delivers 
perform  on  user  machines. 

“Application-centric  networking 
is  a  big  area  of  concentration  at 
Interop  this  year,"  says  George 


Hamilton,  director  of  enterprise 
computing  and  networking  at  the 
Yankee  Group.  “The  more  enter¬ 
prise  companies  get  into  voice 
and  wireless,  the  more  they  need 
application-aware  management 
tools.  And  there  are  some  elegant 
solutions  that  can  help  customers 
get  a  picture  of  what’s  on  their  net¬ 
work  and  take  accurate  perfor¬ 
mance  measurements.” 

Apparent  plans  to  make  avail¬ 
able  software  called  AppCritical, 
which  costs  about  $100,000.  The 
company  took  the  technology  of 
its  AppareNet  flagship  offering  — 
typically  used  to  test  networks  for 
application  deployment,  trouble¬ 
shoot  problems  and  optimize 
configurations  —  and  added  a 
real-time  monitoring  element. 
Instead  of  running  at  scheduled 
times,  AppCritical  sends  packets 
every  few  minutes  across  a  net¬ 
work  and  analyzes  returning  data 
to  determine  network  latency, 
application  response  times  and  jit¬ 


ter,  for  instance.  It  includes  soft¬ 
ware  installed  on  a  dedicated 
server  and  distributed  bits  of  soft¬ 
ware  —  what  Apparent  calls  se¬ 
quencers  —  installed  on  a  few 
key  servers  in  data  centers. 

“It  can  provide  proactive  moni¬ 
toring  and  lets  us  know  of  a 


potential  problem,”  says  Jimmy 
Brown,  vice  president  of  network 
services  at  Affiliated  Computer 
Services,  in  Dallas.  Brown  intends 
to  deploy  AppCritical  this  summer 
to  support  115  client  networks. 

Martin  Webb,  manager  of  data 
network  operations  for  the  pro¬ 


vince  of  British  Columbia,  in  Vic¬ 
toria,  also  plans  to  purchase 
licenses  and  get  the  software  in 
place  over  the  next  few  months. 

“The  difference  between  the 
real-time  event  monitoring  I  have 
and  Apparent  Networks  is  that 
AppCritical  is  constantly  taking 
measurements  of  actual  perfor¬ 
mance  on  the  network  and  letting 
me  then  set  thresholds,”  he  says. 

He  also  intends  to  investigate 
new  analytics  technology  from 
NetScout,  which  the  company 
plans  to  announce  at  Interop. 

NetScout  is  scheduled  to  display 
an  appliance  it  developed  from 
technology  acquired  last  year  with 
Quantiva,  which  offered  a  Web 
analytics  service.  NetScout  used 
the  technology  to  design  nGenius 
Analytics,  which,  when  employed 
with  the  vendors  nGenius 
Performance*  Manager  software 
and  distributed  probes,  can  use 
network  performance  metrics  col¬ 
lected  across  an  enterprise  to  help 
IT  managers  get  a  better  picture  of 
end-to-end  application  perfor¬ 
mance  management.  NGenuis 
Analytics  costs  about  $65,000. 

The  appliance  is  installed  in 
“domains”  that  could  be  defined 
as  topological,  geographical  or 
logical  if  a  group  of  servers  and  a 
router  support  a  critical  business 
application.  The  appliance  re¬ 
ceives  data  from  other  NetScout 
tools  and  third-party  systems  via 
APIs,  performs  its  analysis  on  the 
application  flow  data  and  then 
generates  alerts  based  on  aggre¬ 
gated  data.  NetScout  says  the  pro¬ 
duct  will  help  IT  managers  more 
quickly  diagnose  the  source  of 
performance  problems  and  re¬ 
pair  them.B 


Wireless  vendors  target  corporate  nets 


BY  JOHN  COX  AND  PHIL  HOCHMUTH 

Wireless  offerings  set  to  debut  at  Interop  are 
targeting  corporate  customers  looking  to  add 
high-bandwidth  gear  to  core  networks. 

Bluesocket  is  scheduled  to  introduce  the  first 
multiple-input  multiple-output  (MIMO)-based 
wireless  LAN  (WLAN)  access  point  for  corpo¬ 
rations.  Meru  Networks  is  expected  to  unveil 
products  that  let  customers  connect  a  WLAN 
infrastructure  wirelessly  to 
a  network  core.  Foundry  is 
scheduled  to  announce 
WLAN  switches  designed 
for  future  high-bandwidth 
802.1  In  networks. 

MIMO  is  a  technique  that 
boosts  WLAN  throughput 
from  the  20M-to-25Mbps 
range  in  todays  802.11a 
and  1  lg  networks  to  more 
than  100Mbps  when 
MIMO  radios  are  on  both  sides  of  a  connec¬ 
tion.  It's  the  heart  of  the  IEEE  802.1  In  stan¬ 
dard  now  in  development.  Airgo  Networks 
introduced  the  first  MIMO  chipset  in  2004, 
and  the  third-generation  chip  is  widely  used 
in  access  points  aimed  at  the  small 
office/home  office  and  residential  markets. 

Bluesocket  is  one  of  the  first  vendors  to  build 
a  MIMO  product  for  enterprises,  the  Blue- 
Secure  Access  Fbint  1700. The  Airgo  chipset  is 
WI-FI  certified,  and  existing  802.11b  and  1  lg 
clients  can  connect  to  the  1700  point  without 


any  changes.  But  the  MIMO  technology  is 
designed  to  improve  range  and  throughput 
even  for  these  clients. 

That’s  what  attracts  some  enterprise  users, 
such  as  office  supply  company  Staples,  in 
Framingham,  Mass. 

“The  amount  of  access  points  you  have  to 
install  in  a  six-story  two-tower  facility  can  get 
quite  large,”  says  Shawn  Nerssessian,  a  Staples 
IS  consultant.  “Something  like 
this  will  help  out  tremendous¬ 
ly  in  terms  of  [reducing]  the 
amount  of  access  points  and 
[increasing]  the  coverage.” 
The  1700  access  point  is 
scheduled  to  be  available  at 
the  end  of  July,  priced  at  $795, 
compared  with  $395  for  the 
vendor’s  existing  1500  point. 

Meru  Networks  has  written 
code  for  its  access  points  and 
controllers  to  support  backbone  connectivity 
The  Meru  Wireless  Backbone  System  wireless¬ 
ly  connects  access  points  to  Meru  Radio 
Switches  in  wiring  closets,  or  interconnects  the 
switches.  The  switches  have  four,  eight  or  12 
radios,  and  Meru’s  software  aligns  the  chan¬ 
nels  between  them  to  aggregate  bandwidth. 

One  Meru  customer  who  likes  this  idea  is  Ken 
Winke,  whose  title  is  “convergineer”  for 
Optimus,  a  Chicago  company  that  does  post¬ 
production  work  for  TV  commercials.  “We 
could  tie  together  three  11a  channels  and  have 


this  big,  full-duplex  pipe  [between  switches] " 
he  says.“That’s  really  cool.” 

Meru’s  software  is  being  put  into  new  prod¬ 
ucts, such  as  the  API 50- WB,  priced  at  $995, and 
the  RS4000-WB  switch,  priced  at  $2,995. 
Software  upgrades  for  existing  products  are 
available,  at  $595  for  a  single  AP208,  and  $  1 ,595 
for  the  FtS4000  switch.The  products  are  sched¬ 
uled  to  ship  in  July 

Anticipating  future  802.1  ln-based  access 
points,  Foundry  plans  to  launch  two  WLAN 
switches  with  Gigabit  Ethernet  and  Fbwer  over 
Ethernet  (FbE)  ports  to  deliver  AC  power  to 
access  points.The  switches  can  aggregate  mul¬ 
tiple  100-plus-Mbps  connections  from  an 
access  point  on  one  wire. 

The  Fastlron  X  IronPoint  switch  comes  in  24- 
and  48-port  versions,  each  with  10/100 
/1000Mbps  support.  The  Fastlron  SuperX 
IronPoint  is  a  chassis-based  WLAN  switch  with 
as  many  as  192  10/100/1000/FbE  LAN  ports. 

Foundry  also  plans  to  launch  IronPoint 
Location  Manager  application  software.  The 
Windows  software  taps  into  existing 
Foundry  IronPoint  200  WLAN  access  points 
and  uses  triangulation  to  track  the  location 
of  WLAN  radios. 

The  IronPoint  Wireless  Location  Manager, 
costs  $8,000.  Pricing  for  the  Fastlron  X  and 
SuperX  Wireless  Switches  will  be 
announced  when  the  product  ships.  Both 
products  are  expected  to  be  available  in  the 
third  quarter  of  2006.  ■ 


Bluesocket's  new  MIMO  802.1  Ib/g 
access  point  improves  WLAN  speed 
and  range. 
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APPLE  Xserve®  RAID  Hard  Drive  Array 

MA208LL/A 

-  Dual  2GB  Fibre  Channel  connectivity 

-  Hardware  RAID  levels  0, 1,  3,  5,  0+1 

-  Certified  by  Microsoft?  Novell?  Cisco?  Red  Hat? 
Terra  Soft  Solutions?  Brocade?  Veritas®  and  more 

-  1-year  warranty 


APC®  Smart-UPS  RM  1500VA 

SUA1500RM2U 

-  7.4-minute  average  run  time  (full  load) 

-  Automatic  Voltage  Regulation  (AVR) 
-Built-in  SmartSlot 


BELKIN®  SMB  CAT5  KVM  Switch 

F1DP108A 

-  8-port,  1U  rack-mountable 
-Supports  PS/2  and  USB  platforms 

-  Daisy-chain  up  to  16  switches 

-  5-year  warranty 
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Boeing 

continued  from  page  1 

where  Boeing  is  readying  its  787 
Dreamliner  super-jumbo  jets, 
scheduled  to  roll  out  this  summer. 

In  advance  of  the  787  project, 
and  to  speed  up  production  of  its 
other  aircraft  lines,  Boeings  IT 
group  last  year  began  installing 
wireless  location  tracking.  The 
technology  will  let  engineers  find 
and  assemble  the  collection  of 
airplane  parts  and  tools  —  known 
as  kits  —  more  quickly  and  allow 
for  better  inventory  tracking. 

“It  will  streamline  our  produc¬ 
tion  environment  and  make  it 
more  efficient  time-wise  and  dol- 
lar-wise  by  not  having  to  replicate 
tooling  and  pieces  of  gear,” 
Farricker  adds. 


Where  it’s  at 


Boeing  deployed  wireless  LAN  (WLAN)  location  tracking  in  its  Everett,  Wash.,  aircraft  plant  using  Cisco  Airespace  infrastructure 
equipment  and  location-tracking  tags  and  server  software  from  Aeroscout. 


Q  Key  aircraft  components,  tool  kits  and  assembly  equipment  are  fitted  with  802.11  active  tags,  which  relay  the  position  of  the  equipment  over  the  WLAN. _ 

0  As  tagged  equipment  moves  from  aircraft  to  aircraft  around  the  4.3  million-square-foot  facility,  Cisco  Airespace  WLAN  access  points  track  its  movement  in  real  time  using  triangulation. 
Location  data  is  relayed  to  a  tracking  server  over  the  LAN. _ _ 

0  Engineers  can  view  where  all  key  manufacturing  assets  are  in  real  time,  which  allows  for  faster  setup  of  aircraft  assembly  stagings. 


Tagging  technology 

The  idea  to  track  the  location  of 
factory  assets  physically  using  an 
802.11  network  originated  in  the 
company’s  PhantomWorks  R&D 
group.  At  the  time  the  idea  was  to 
use  the  existing  Cisco  Aironet 
WLAN  installed  in  the  factories  to 
do  the  physical  tag  tracking. 

“Even  with  fairly  big  parts,  you’d 
be  surprised  how  easy  it  is  to  lose 
track  of  stuff,”  says  Richard  Paine,  a 
network  technologist  with  the 
PhantomWorks  Math  and  Com¬ 
puting  Technologies  division. 

The  location  tracking  for  assets 
in  the  factory  is  more  selective 
than  slapping  an  RFID  chip  on 
every  wrench  and  bolt.The  802. 1 1 
active  tags,  which  are  about  the 
size  of  a  book  of  matches  and 
contain  batteries  and  circuitry 
cost  $45  to  $60  apiece.  The  tags 
are  put  on  only  components  and 
tools  that  are  “valuable  enough  so 
that  we  don’t  mind  putting  an 
active  tag  on  them,”  Paine  says. 
Boeing  uses  tag  products,  WLAN 
tracking  sewers  and  software 
from  Aeroscout. 

Everything  from  lifts,  cranes,  jet 
engines  and  planes’  fuselage  parts 
are  tagged.  The  units  constantly 
relay  the  position  of  whatever 
they  are  attached  to,  using  one  of 


two  types  of  technology:  Received 
Strength  Signal  Indicator  (RSSI) 
and  Time  Difference  of  Arrival 
(TDOA). 

RSSI  lets  an  802.11  network 
track  an  object  physically  by  mea¬ 
suring  the  strength  of  the  signal 
against  three  points,  then  using 
that  triangulation  to  get  the  exact 
position.  TDOA  similarly  triangu¬ 
lates  a  WLAN  tag,  but  a  time-stamp 
technique  is  used  to  pinpoint 
location.  A  location  tracking 
server  provides  a  real-time  view  of 
where  everything  is  and  where  it 
has  been. 

“The  issue  is  that  a  lot  of  [802. 1 1 
equipment]  is  designed  for  an 
office  environment,”  Farricker 
says.  “So  we’re  working  with  our 
vendors  to  ensure  we  have  the 
capabilities  required  in  these  cav¬ 
ernous  locations,  which  really 
look  more  like  the  outdoors.” 

The  physical  positioning  of  the 
access  points  in  the  factory  is  sim¬ 
ple:  “You  have  a  north  wall  and  a 
south  wall,”  Farricker  says.  “They 
both  have  [access  points]  on 
them,  and  they  all  point  to  the 
middle  of  the  factory  Before  loca¬ 
tion  tracking  was  added  to  the 
network,  engineers  with  laptops 
and  tablet  PCs  used  the  WLAN  for 


data  access  on  the  plant  floor. 
Coverage  of  the  large  space  was 
spotty  however. 

The  trick  to  better  coverage  was 
the  ability  to  make  dynamic 
changes  in  power  settings  and 
antennae  directions  on  the 
access  points.  This  also  was 
essential  for  real-time  location 
tracking,  which  must  adapt  to 
major  shifts  in  the  physical  envi¬ 
ronment  on  the  plant  floor. 

“Previously  you  would  have  to 
go  and  design  the  channel  and 
power  levels  based  on  the  envi¬ 
ronment”  with  first-generation 
802.11  equipment,  Farricker  says. 
“In  the  airplane  business,  the  fact 
that  you  have  large,  metallic  air¬ 
planes  moving  around  in  the  mid¬ 
dle  of  everything  makes  things 
more  complex.”  This  made  radio 
frequency  configurations  a  mov¬ 
ing  target:  One  day  there  would 
be  open  space,  and  another  a  20- 
foot  aluminum  fuselage  creating  a 
WLAN  dead  spot.  The  statically 
configured  Cisco  Aironet  WLAN 
gear  used  previously  for  plant 
floor  data  access  required  manual 
tweaking  of  signal  power  and 
antennae  direction  to  accommo¬ 
date  the  constantly  shifting  dead 
spots.  Boeing  is  a  predominantly 
Cisco  network,  but  it  had  started 
to  look  elsewhere  for  a  more  flex¬ 
ible  WLAN  vendor. 

Airespace  WLAN  gear  using 
Lightweight  Access  Point  Protocol 
(LWAPP)  technology  was  tested 
in  the  factory  in  2004,  before 
Cisco  acquired  Airespace.  This 
was  a  key  development  in 
Boeing’s  plans  for  factory-floor 
WLAN,  because  the  technology 
allowed  for  a  more  simplified 


setup.  “LWAPP  is  allowing  a 
dynamic  design  and  taking  a  lot 
of  the  site-survey  pieces  out  of  the 
equation,”  Farricker  says. 

“What  allowed  us  to  continue  to 
go  the  Cisco  path  was  the  Aire¬ 
space  acquisition,”  he  says.  “We 
had  spoken  to  Cisco  on  many 
occasions,  and  told  them  that  [the 
older-version  access  points]  were 
really  limited;  we  told  them  that 
they  had  to  step  up  as  far  as  what 

“Even  with  fairly 
big  parts,  you’d  be 
surprised  how 
easy  it  is  to  lose 
track  of  stuff.” 

Richard  Paine,  network  technologist, 
PhantomWorks'  Math  and 
Computing  Division 

we  need  to  provide  for  our  cus¬ 
tomers  in  terms  of  availability’ 
The  most  impressive  thing 
Farricker  says  he’s  seen  during 
the  WLAN  rollout  is  “how  the 
technology  has  matured,  just 
within  the  last  year.”  Dynamic  RF 
power  configuration,  centralized 
security  and  management,  and 
improved  QoS  and  reliability  are 
some  of  the  gains. 

“We’ve  gotten  to  the  point  of 
where  we  can  actually  do  things” 
with  WLAN  technology  he  says. 
“Then  all  of  a  sudden  you  get  into 
the  discussion  of  RSSI  vs.  TDOA. 
What  are  the  accuracy  constraints 
of  both?  How  about  tags  in  the 
802.1  lg  environment?”  Location 
tags  are  mostly  802.1  lb-based 
today,  he  says. 


Overall,  the  wireless  industry  is 
responding  well  to  the  company’s 
needs,  Farricker  says.  That’s  good, 
because  demand  for  advanced 
WLAN  technology  is  booming 
inside  the  company 

“Because  of  the  benefits  such  as 
productivity  gains  for  our  cus¬ 
tomers  in  the  factories,  [WLAN 
and  location  tracking]  are  at  a 
point  where  they’re  really  being 
pushed  to  be  deployed,”  he  says. 

Data  deluge 

The  next  challenge  for  Boeing’s 
PhantomWorks,  IT  and  network 
groups  is  how  to  deal  with  the 
massive  amounts  of  data  generat¬ 
ed  by  location  tracking. 

“How  do  you  manage  all  of  this 
real-time  data  that’s  coming  from 
RFID  systems  and  sensors  and  the 
rest  of  it?”  the  PhantomWorks 
group’s  Paine  asks.  “Data  mining 
can  become  a  real  issue  when 
you’ve  got  all  of  this  information 
flowing  all  over  the  place.” 

Farricker  agrees. 

“I  see  that  as  being  just  a  huge 
area,”  he  says.  “Right  now  [loca¬ 
tion  data  tracking]  is  really  proj¬ 
ect-oriented  or  program-oriented 
technology’  As  it  becomes  more 
widespread,  how  Boeing  as  a 
whole  uses  the  aggregated  data 
from  its  manufacturing  pro¬ 
cesses  could  lead  to  more  valu¬ 
able  and  productivity-enhancing 
applications. 

“We  could  go  out  and  utilize  that 
data  for  something  else,”  he  says. 
“Even  for  things  like  parts  invento¬ 
ries.  Parts  history  Having  a  data¬ 
base  that  can  trend  it  all.  I  can  see 
us  doing  many  more  things  with 
all  this  tag  data.”B 
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Secure  Mobile  Architecture 

In  addition  to  its  WLAN  tracking  efforts,  Boeing's  IT  and  PhantomWorks  R&D  groups 
are  working  on  a  new  way  to  secure  the  company's  sprawling  802.11  network  with 
something  it  calls  Secure  Mobile  Architecture.  Read  more  about  it  at: 

www.nwdocfinder.com/3259 
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Convergence.  It's  not  rocket  science.  In  fact,  it's  a  much  simpler  way  to  do  business.  As  a 
leader  in  convergence,  we're  helping  businesses  worldwide  cut  communications  costs  up  to 
60%,  all  while  increasing  productivity.  How  brilliant. 
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Microsoft  customers 
warily  eye  mgmt  plan 


BY  JOHN  FONTANA 

SAN  DIEGO  —  Corporate  users  are  gen¬ 
erally  pleased  with  the  direction  and 
pace  of  development  of  Microsoft’s  man¬ 
agement  software  but  are  not  ready  to 
take  on  the  vendor’s  broad  self-healing, 
model-based  management  initiative. 

Microsoft  gathered  3,000  customers  last 
week  at  the  annual  Microsoft  Management 
Summit  and  unveiled  new  pieces  of  its  plat¬ 
form, including  System  Center  Service  Desk 
(SCSD),a  workflow-based  problem  discov¬ 
ery  and  resolution  tool.  Also  announced 
was  the  acquisition  of  service  provider 
AssetMetrix,  whose  asset  management  cap¬ 
abilities  will  be  integrated  with  Microsoft’s 
management  software. 

“They  are  gaining  momentum,”  said  Troy 
Olson,  a  senior  systems  analyst  for  Hutch¬ 
inson  Technology,  a  Hutchinson,  Minn., 
manufacturer  of  suspension  assemblies  for 
disk  drives.  Olson  said  his  company  is 
investigating  service  desk  tools  and 
lamented  Microsoft’s  timing,  since  SCSD  is 
not  scheduled  to  ship  until  next  year. 
“Microsoft  can  do  the  best  integration 
among  its  own  stuff,  but  it  has  been  a  long 
time  coming  with  [SCSD].” 

Vendors  such  as  Altiris,  BMC  Software, 
Novell  and  Symantec  offer  similar  tools. 

Olson  and  others  said  Microsoft’s 
System  Management  Server  (SMS)  and 
Microsoft  Operations  Manager  (MOM) 
are  their  focus  in  terms  of  building  soft¬ 
ware  to  manage  Windows.  But  the  com¬ 
pany’s  big-picture  management  model, 
which  builds  off  of  those  two  products 
and  many  others,  is  not  getting  their  atten¬ 
tion.  That  broad  model  is  defined  by  the 
Dynamic  Systems  Initiative  (DSI)  and  its 
System  Definition  Model  (SDM),  which 
are  the  soul  of  a  10-year  plan  to  create  a 
self-healing,  model-based  management 
platform  for  Windows. 

Today,  only  the  development  tool  Visual 
Studio  supports  SDM  1.0.  Microsoft  said  it 
is  ready  to  introduce  SDM  3.0,  which  it  has 
been  working  with  internally  and  with 
partners. 

DSI  and  SDM  were  not  prominently  dis¬ 
cussed  at  the  Management  Summit,  al¬ 
though  Microsoft  reiterated  that  SDM  3.0 
would  be  supported  in  the  forthcoming 
SMS  Version  4  and  MOM  Version  3.The  com¬ 
pany  gave  no  information  on  specific  tools 
or  capabilities  that  software  will  offer. 

The  only  news  Microsoft  announced  re¬ 
lated  to  those  two  products  was  aligning 
them  with  its  System  Center  branding  by  re 
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naming  them  System  Center  Configuration 
Manager  (SCCM)  2007  and  System  Center 
Operations  Manager  2007,  respectively 
In  terms  of  DSI  and  SDM,  Rick  Jones,  a 
systems  engineer  with  Cingular  Wireless, 
said,“l  can’t  think  that  far  ahead.”  But  he 
said  Microsoft  is  doing  a  great  job  with 
SMS  and  MOM. 

“We  couldn’t  manage  our  servers  without 
MOM,”  he  said. “We  are  trying  to  get  to  a 
point  where  it  is  easier  to  manage  every¬ 
thing.”  He  said  SMS  2003  Release  2, slated  to 
ship  before  the  end  of  June,  will  help  make 
it  easier  to  roll  out  patches  and  that  his 
company  is  developing  a  test  environment 
to  evaluate  the  SMS  Version  4  and  MOM 

“Microsoft  can  do  the 
best  integration  among 
its  own  stuff,  but  it  has 
been  a  long  time 
coming  with  [SCSD].” 

Troy  Olson,  senior  systems  analyst, 
Hutchinson  Technology 

Version  3  betas. 

Microsoft  played  up  a  new  tool  called 
System  Center  Service  Desk,  which  in¬ 
cludes  a  workflow  engine  based  on  the 
forthcoming  Windows  Workflow  Foun¬ 
dation  and  incorporates  IT  Infrastructure 
Library,  a  set  of  best  practices  for  IT  services 
management  and  the  Microsoft  Operations 
Framework. 

Service  Desk  also  will  include  the  foun¬ 
dation  for  Microsoft’s  configuration  man¬ 
agement  database  (CMDB),  which  will  host 
SMS  and  MOM  data.  In  addition, BizTalk  will 
provide  the  integration  framework  for 
CMDB,  System  Center  Reporting  Manager 
will  handle  reporting  chores,  and  SQL 
Server  will  provide  data  warehousing. 

Microsoft  also  said  it  is  acquiring  Asset¬ 
Metrix,  which  runs  a  hosted  service  for 
asset  tracking  of  hardware  and  software,  in¬ 
cluding  licensing  compliance. 

The  AssetMetrix  catalog  of  data  can  be 
merged  with  customers’  Microsoft  Licens¬ 
ing  Statements,  which  detail  the  software  a 
company  has  licensed  from  Microsoft  to 
produce  a  license  compliance  report. 

The  AssetMetrix  data  can  be  imported 
into  current  versions  of  SMS,  according  to 
Microsoft.  The  AssetMetrix  catalog  technol¬ 
ogy,  which  includes  an  agent  that  collects 
data  from  desktops  and  servers,  will  be  fully 
integrated  with  SMS  in  the  next  six  to  nine 
months.  Microsoft  officials  said  they  plan  to 
release  an  out-of-band  product  that  works 
on  top  of  SCCM  2007,  as  well  as  continue 
the  hosted  service.  ■ 
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Introducing  the  Nortel  Secure  Router  Portfolio.  Finally,  a 


portfolio  that  provides  security  and  reliability,  all  at  25%  less 


cost  than  the  leading  competitor.  It  is  time  to  turn  to  Nortel 


for  end-to-end,  converged  enterprise  network  solutions. 
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superior  performance 

•  Up  to  1 40,000  L4  connections/sec 

•  Application  throughput  from  2  to  1 2  Gbps 

•  Wire-speed  Layer  2/3  forwarding 

•  Scalable  processor  performance 


HIGH  AVAILABILITY  <5c 
RELIABILITY 


Resilient  switching  and  routing  foundation 
Global  load  balancing  for  multi-site 
scalability  and  survivability 
Link  aggregation 

Rapid  and  stateful  session  failover 
RSTP,  VRRP  for  switch  and  router 
redundancy 

Redundant  power  supplies 
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SECURITY 

•  DoS  protection  up  to  4  million  SYN/sec 

•  Wire-speed  ACLs 

•  Application  rate  limiting 

•  Secure  device  management 

•  sFlow  traffic  monitoring 


RICH  FEATURES 

•  Intelligent  content  switching  using 
URL,  HTTP,  XML,  cookies,  SSL 
ID  and  others 

•  IP  NAT 

•  RIPv2,  OSPF  routing 


FLEXIBILITY  & 
MANAGEABILITY 


•  In-line,  one-ARM  and  Direct  Server 
Return  modes 

•  Web,  SNMP,  INM  and  Cisco-like  CLI 
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Uptime,  scalability,  performance 
and  security  are  the  watchwords 
for  your  network.The  Serverlron® 
application  switch  is  designed  for 
this  environment.  Its  advanced 
switch-based  architecture 
features  a  scalable  content 
switching  engine  with  hardware- 
based  DoS  protection  delivering 
the  industry’s  most  powerful 
and  secure  application 
switching  solution. 


INTEROP 

LAS  VEGAS  |  APRIL  30-MAY  5,  2006 

Booth  #  1024 


PC  Appliances  Cannot  Match  the 
Power  and  Flexibility  of  the  SSjfWei’J/Wi 

SERVERlRDN  PC  APPLIANCES 

PERFORMANCE  UPGRADEAB  ILITY 

v' 

X 

IN-SERVICE  PORT  EXPANDABILITY 

X 

lO-GE  SUPPORT,  >10  GPBS  THROUGHPUT 

v' 

X 

HIGH-DENSITY  DIRECT  SERVER  FAN-OUT 

v' 

X 

HARDWARE-BASED  CONNECTION 

MANAGEMENT  AND  DOS  PROTECTION 

s/ 

X 

WIRE-SPEED  L2/L3  FORWARDING  AND  ACLS 

S/ 

X 

m 

FOUNDRY 

NETWORKS 

The  Power  of  Performance™ 


THE  SERVERlRDN 
FAMILY  DF  PRODUCTS 

Also  Includes: 


Server l ron  450  and  S50 


SERVERlRONXL 


ServerIronSA  Accelerators 


Foundry  Networks,  Inc.  is  a  leading  provider  of  high-performance  Enterprise  and  Service  Provider  switching,  routing  and  Web  traffic  management  solutions 
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Cisco  updates  joint  CRM  system 


BY  STEPHEN  LAWSON,  IDG  NEWS  SERVICE 

Cisco  is  enhancing  its  CRM  software  with 
small  and  midsize  businesses  in  mind,  inte¬ 
grating  it  with  an  improved  version  of 
Microsoft’s  Dynamics  CRM  and  bringing  it  to 
the  screens  of  Cisco  IP  phones. 

Cisco’s  Unified  CRM  Connector  works  with 
Dynamics  CRM  to  streamline  contact-center 
functions.  The  software  creates  automatic 
screen  pop-ups  with  caller  information,  pro¬ 
vides  click-to-dial  capability,  captures  call  in¬ 
formation  and  creates  customer  records.  It 
delivers  these  features  on  a  PC  through  inte¬ 
gration  with  Cisco  IP  phones. 

Version  3.0,  the  latest,  is  integrated  with  the 
recently  announced  Dynamics  CRM  3.0. 
Besides  taking  advantage  of  improvements 
in  the  Microsoft  software,  the  new  CRM  Con¬ 
nector  can  deliver  to  Cisco  IP  phones  a  sub¬ 
set  of  the  information  it  puts  up  on  PC 
screens. 

SMBs  are  interested  in  IP  telephony  but 


want  to  see  more  capabilities  than  they  have 
with  conventional  phones,  according  to 
Yankee  Group  analyst  Gary  Chen. 

“Integration  with  CRM  is  one  of  the  killer 
apps  with  VoIP’’  because  customer  informa¬ 
tion  is  so  closely  involved  with  phone  calls, 
Chen  says.  Many  SMBs  use  CRM  software, and 
Microsoft’s  product  has  done  well  among 
them,  he  adds. 

The  prospect  of  using  CRM  Connector  con¬ 
vinced  GreenStone  Farm  Credit  Services  in 
East  Lansing,  Mich.,  to  adopt  IP  telephony 
GreenStone,  which  has  37  locations  in 
Michigan  and  Wisconsin,  is  deploying  IP 
phones  companywide.  It’s  testing  CRM 
Connector  1.2  and  plans  to  roll  it  out 
midyear.  The  company  expects  to  deploy 
Version  3.0  later  this  year  or  in  the  first  half  of 
2007,  says  Dominic  Roberts,  Greenstone’s 
vice  president  of  information  services. 

GreenStone  started  using  Dynamics  CRM  a 
few  years  ago  to  bring  together  customer  data 


from  different  platforms,  Roberts  said.  Better 
customer  service  has  resulted,  because 
employees  have  more  information  at  hand, 
such  as  what  customers  have  bought  and  what 
promotions  they  have  been  offered  already 

The  extension  of  CRM  Connector  to  Cisco 
IP  phones  will  be  a  major  benefit  of  the  new 
version,  Roberts  says.“They  don't  like  it  when 
10  windows  pop  up  in  their  face  when 
they’re  looking  at  a  CRM  screen,”  he  says. 
“They  would  love  to  have  two  screens.” 

Roberts  hopes  to  bring  the  company’s 
internally  developed  GreenConvert  applica¬ 
tion  to  employees’  phones.  GreenConvert 
grabs  information  about  a  customer’s  exist¬ 
ing  loans  and  calculates  whether  there  is  a 
lower  interest-rate  loan  it  can  offer  that  will 
benefit  both  GreenStone  and  the  borrower, 
he  says.  If  so,  the  details  would  pop  up  on  the 
screen  of  the  phone. 

Unified  CRM  Connector  3.0  is  available 
now.B 


EMC  expands  strategy,  targets  IBM 


^We  will  use  some  of  our 
balance  sheet  assets  to 
acquire  more  technologies; 
there  are  more  companies 
we  have  on  our  hit  list.55 


Joe  Tucci,  president  and  CEO,  EMC 


BY  SHELLEY  SOLHEIM, 

IDG  NEWS  SERVICE 

BOSTON  —  As  EMC  looks  to 
expand  beyond  its  storage  hard¬ 
ware  roots,  its  customers  also  are 
looking  to  EMC  to  help  address 
their  data  management,  storage 
and  protection  needs. 

At  the  EMC  World  conference 
last  week,  the  company  rolled 
out  new  resource  management 
and  information  security  prod¬ 
ucts  from  its  myriad  acquisitions. 

For  the  past  several  years  EMC 
has  been  on  a  spree  of  buying 
software  and  services  companies 
to  help  it  expand  beyond  its  roots 
as  a  storage  company  into  a  one- 
stop  shop  for  storing,  managing, 
protecting  and  securing  corpo¬ 
rate  data. 

It  is  currently  figuring  out  how 
to  integrate  all  of  its  products. 
“EMC’s  biggest  challenge  is  that 
they  have  so  many  offerings  no 
one  can  even  understand  what 
they  have, even  their  own  people” 
said  Bob  Diamond,  vice  president 
of  IT  for  Orange  Regional  Medical 
Center  in  Orange  County,  N.Y,  at 
the  conference. 

While  EMC  is  working  to  tie 
together  the  companies  it  has 
acquired,  EMC  President  and 
CEO  Joe  Tucci  made  it  clear  that 
the  company  is  not  done  shop¬ 
ping  around. 

“We  will  use  some  of  our  bal¬ 


ance  sheet  assets  to  acquire 
more  technologies;  there  are 
more  companies  we  have  on  our 
hit  list,”  Tucci  said  in  a  keynote 
address  at  the  show. 

Among  essential  areas  for 
growth  through  in-house  devel¬ 
opment  or  acquisition  are 
model-based  resource  manage¬ 
ment,  information  security  and 
virtualization, Tucci  said. 

EMC  introduced  two  resource 
management  products  based  on 
technologies  it  gained  in  its  $260 
million  acquisition  of  Smarts  in 
late  2004. 

The  company  rolled  out  EMC 
Smarts  Storage  Insight  for 
Availability,  designed  to  leverage 
EMC’s  ControlCenter  storage  man¬ 
agement  software  to  monitor  stor¬ 
age-area  network  elements  and 
the  impact  of  failures  on  other 
parts  of  the  infrastructure,  such  as 
host  devices,  files  systems,  EMC 


PowerPath  logical  paths  and  EMC 
Celerra  NAS  systems.  Pricing  for 
the  software  starts  at  $750  to 
$1,000  per  terabyte. 

Also  new  is  EMC  Smarts  Appli¬ 
cation  Discovery  Manager,  a  1U 
Intel  appliance  with  software  that 
maps  applications  and  their  rela¬ 
tionships  to  help  users  under¬ 
stand  how  application  behavior 
affects  infrastructure  elements. 
Pricing  starts  at  about  $220,000 
for  2,000  nodes. 

The  company  also  announced 
a  storage  and  security  line  called 
EMC  Assessment  Service  for 
Storage  Security,  geared  to  help 
businesses  evaluate  security 
risks,  and  digital  rights  manage¬ 
ment  software  based  on  technol¬ 
ogy  it  acquired  from  Authentica 
earlier  this  year. 

Orange  Regional  Medical  Cen¬ 
ter,  like  many  other  businesses  in 
the  highly  regulated  healthcare 


industry  is  struggling  with  how  to 
deal  with  the  explosion  of  data 
that  has  to  be  stored  and  man¬ 
aged  in  compliance  with  regula¬ 
tions,  Diamond  said. 

The  hospital  is  purchasing  EMC 
hardware, software  and  services  to 
implement  a  multi-tiered  storage 
architecture.“Our  storage  capacity 
is  up  significantly;  we  have  so 
many  large  images  that  we’re  not 
allowed  to  get  rid  of,”  he  said. 

Another  user  at  the  show  was 
also  looking  to  address  compli¬ 
ance  requirements  but  was  seek¬ 
ing  more  vertical-market  systems. 

Ashwani  Kashyap,  of  Hoffman- 
La  Roche,  a  pharmaceutical  com¬ 
pany  in  Nutley  N.J.,  said  his  com¬ 
pany  faces  increased  compliance 
pressure  from  the  Food  and  Drug 
Administration  (FDA)  to  provide 
information  about  how  the  com¬ 
pany  stores  and  manages  its  data. 

“My  biggest  challenge  is  that  the 
people  managing  the  applica¬ 
tions  want  to  know  where  the 
data  is  located  and  how  it  is  man¬ 
aged,  because  the  FDA  is  requir¬ 
ing  it  and  they  really  need  granu¬ 
lar  information.  1  want  to  be  able 
to  give  that  information,”  Kashyap 
said.B 

STORAGE 

Subscribe  to  our  free  newsletter. 

DocFinder:1019  www.networkwerld.coD 


NETWORKWORLD 

EDITORIAL  DIRECTOR:  JOHN  GALLANT 
EDITOR  IN  CHIEF:  JOHN  DIX 

■  NEWS 

EXECUTIVE  EDITOR,  NEWS:  BOB  BROWN 
NEWS  EDITOR:  MICHAEL  COONEY 
NEWS  EDITOR:  PAUL  MCNAMARA 

■  NET  INFRASTRUCTURE 

SENIOR  EDITOR:  JOHN  COX  (978)  834-0554 

SENIOR  EDITOR:  TIM  GREENE 

SENIOR  EDITOR:  PHIL  HOCHMUTH 

SENIOR  EDITOR:  ELLEN  MESSMER  (941)  792-1061 

■  ENTERPRISE  COMPUTING 

SENIOR  EDITOR:  JOHN  FONTANA  (303)  377-9057 
SENIOR  EDITOR:  DENI  CONNOR  (512)  345-3850 
SENIOR  EDITOR:  JENNIFER  MEARS  (520)  818-2928 

■  APPLICATION  SERVICES 

SENIOR  EDITOR:  CAROLYN  DUFFY  MARSAN, 

(317)  5660845 

SENIOR  EDITOR:  ANN  BEDNARZ  (612)  9260470 

SENIOR  EDITOR:  DENISE  DUBIE 

SENIOR  EDITOR:  CARA  GARRETSON  (240)  2460098 

■  SERVICE  PROVIDERS _ 

SENIOR  EDITOR:  DENISE  PAPPALARDO, 

(703)  768-7573 

MANAGING  EDITOR:  JIM  DUFFY  (716)6550103 

■  NET.W0RKER 

MANAGING  EDITOR:  JOHN  DIX 

■  COPY  DESK/LAYOUT 

MANAGING  EDITOR:  RYAN  FRANCIS 
SENIOR  COPY  EDITOR:  JOHN  DOOLEY 
COPY  EDITOR:  TAMMY  O'KEEFE 
COPY  EDITOR:  BOB  SPRAGUE 
COPY  EDITOR:  CAROL  ZARROW 

■  ART 

DESIGN  OIRECTOR:  TOM  NORTON 
ART  DIRECTOR:  BRIAN  GA1DRY 
SENIOR  DESIGNER:  STEPHEN  SAUER 
ASSOCIATE  DESIGNER:  ERIC  ANDERSON 

■  FEATURES _ 

FEATURES  EDITOR:  NEAL  WEINBERG 

SENIOR  MANAGING  EDITOR,  FEATURES:  AMY  SCHURR 

OPINIONS  PAGE  EDITOR:  SUSAN  COLLINS 

■  CLEAR  CHOICE  TESTS _ 

EXECUTIVE  EDITOR,  TESTING:  CHRISTINE  BURNS. 

(717)  243-3686 

SENIOR  EDITOR,  PROOUCT  TESTING:  KEITH  SHAW. 

(508)  490-6527 

LAB  ALLIANCE  PARTNERS:  JOEL  SNYDER.  Opus  One; 
JOHN  BASS.  Centennial  Networking  Labs;  BARRY 
NANCE,  independent  consultant;  THOMAS 
POWELL.  PINT;  Miercom;  THOMAS  HENDERSON. 
ExtremeLabs;  TRAVIS  BERKLEY.  University  ol 
Kansas;  DAVID  NEWMAN,  Network  Test; 

CHRISTINE  PEREY.  Fferey  Research  &  Consulting; 
JEFFREY  FRITZ,  University  of  California.  San 
Francisco;  JAMES  GASKIN,  Gaskin  Computing 
Services.  MANDY  ANDRESS.  ArcSec;  RODNEY 
THAYER,  Canola  &  Jones;  SAM  STOVER,  indepen¬ 
dent  consultant 

CONTRIBUTING  EDITORS:  DANIEL  BRIERE.  MARK  GIBBS. 
JAMES  KOBIELUS,  MARK  MILLER 

■  HETWOBKWORLD.COM 

EXECUTIVE  EDITOR,  ONLINE:  ADAM  GAFF1N 
MANAGING  EDITOR:  MEUSSA  SHAW 
SITE  EDITOR:  JEFF  CARUSO,  (631)  584-5829 
SENIOR  ONLINE  NEWS  EDITOR:  LINDA  LEUNG. 

(510)  768-2808 

MULTIMEDIA  EDITOR:  JASON  MESERVE 
ASSOCIATE  ONLINE  NEWS  EDITOR:  SHERYL  HODGE 
SENIOR  ONLINE  GRAPHIC  DESIGNER:  ZACH  SULLIVAN 

■  SIGNATURE  SERIES 

EDITOR:  BETH  SCHULTZ.  (773)  2830213 
EXECUTIVE  EDITOR:  JUUE  BORT  (970)  482-6454 
COPY  EDITOR:  TAMMY  O'KEEFE 

EDITORIAL  OPERATIONS  MANAGER:  CHERYL  CRIVLLLO 
OFFICE  MANAGER,  EDITORIAL  GLENNA  FASOLD 
EDITORIAL  OFFICE  ADMINISTRATOR:  PAT  JOSEFEK 
MAIN  PHONE:  (508)  460-3333 
E-MAIL  first  namejast  name@nwwcorr 


RISK  MANAGEMENT  FIRM  SOLVES 


TER  RECOVERY 


When  everything  was  factored  in, 
we  estimated  that  centralizing  all 
application  servers  would  save  us 


close  to  $360,000  per  regional  office. 

Mitch  Nabors,  Quality  Built 


Quality  Built  was  committed  to  centralizing 
voice  and  data  applications  and  providing  real - 
time  data  replication  between  locations.  The 
builder  risk  management  firm  required  assur¬ 
ance  that  their  WAN  was  up  to  the  challenge. 

Quality  Built  is  the  largest  builder  risk  management  services  firm  in 
the  United  States,  providing  claim  services  to  all  types  of  construc¬ 
tion  environments  -  from  single-family  homes  to  luxury  high-rise  pro¬ 
jects.  The  company  has  worked  on  more  than  225,000  projects 
across  the  country,  representing  a  total  construction  risk  value  of 
$1.01  billion  in  2005. 

“In  our  business,  terabytes  of  data  are  transferred  each  day  to 
clients  and  partners,  as  well  as  between  Quality  Built  facilities,"  said 
Mitch  Nabors,  Network  Administrator  at  Quality  Built.  “This  places  an 
enormous  burden  on  IT.” 

All  Quality  Built  employees  require  fast  and  reliable  access  to 
core  applications  that  enable  the  sharing  of  business  information. 
This  includes  NAS  file  servers,  Microsoft  Exchange  email,  a 
corporate  intranet,  and  several  SQL  databases.  This  information 
is  protected  using  real-time  replication  to  a  disaster  recovery 
location  in  Denver. 

The  Strategy 

With  a  rapidly  growing  customer  base,  Quality  Built  assessed  their  ris¬ 
ing  IT  costs  and  determined  that  the  best  way  to  improve  information 
delivery  and  to  guarantee  proper  data  backup  is  to  centralize  all  appli¬ 
cation  servers  within  their  main  data  center  in  San  Diego. 

“It  was  cost  prohibitive  to  duplicate  servers  and  storage  in  branch 
locations,"  said  Nabors. 

Server  distribution  would  require  additional  hardware  and  software 
expenditures,  and  add  server  support  costs.  In  addition,  it  would 
require  Quality  Built  to  upgrade  existing  operating  systems,  add 
clustering  capabilities  across  their  databases,  build  out  new  server 
room  facilities,  and  implement  a  new  Storage  Area  Network  (SAN). 
Quality  Built  would  also  have  to  add  senior  IT  personnel  to  support 
this  initiative. 

Added  Nabors,  “when  everything  was  factored  in,  we  estimated  that 
centralizing  all  application  servers  would  save  us  close  to  $360,000 
per  regional  office.” 


CHALLENGE 

The  Challenges 

Server  centralization  did  not  come  without  challenges  in  the  Quality 
Built  environment. 

“In  some  instances,  it  would  take  over  30  minutes  to  transfer 
large  files  across  the  WAN"  explained  Nabors.  “Similarly,  it  would  take 
hours  to  backup  all  corporate  data  to  Denver  across  dual 
bonded  T 1  links.” 

In  addition,  Quality  Built  invested  in  Voice  over  IP  (VoIP)  equipment 
to  eliminate  long  distance  charges  between  corporate  locations. 
However,  users  complained  that  VoIP  calls  sounded  “garbled”  and 
“digitized”  across  the  WAN. 

“We  save  close  to  $20,000  per  year  doing  VoIP,” 
said  Nabors.  “But  poor  voice  quality  was  preventing 
end  users  from  appreciating  the  benefits  of  this 
technology.” 

Searching  for  a  Solution 
In  April  2005,  Quality  Built  determined  that  an 
acceleration  solution  was  required  to  improve 
application  usability  across  their  WAN.  In  addition,  they  required 
a  solution  that  could  ensure  the  real-time  replication  of  large 
volumes  of  data  without  requiring  significant  investments  in 
WAN  bandwidth. 

The  company  spent  four  months  evaluating  a  wide  range  of  accelera¬ 
tion  products. 

“We  ruled  out  basic  compression  solutions  because  they  did  not 
provide  enough  bang  for  our  buck,”  said  Nabors. 

The  company  also  explored  Wide  Area  File  Services  (WAFS),  but 
it  was  concerned  that  caching  technology  might  result  in  the  delivery  of 
inconsistent  information  across  different  Quality  Built  locations.  Plus, 
WAFS  only  addressed  a  subset  of  Quality  Built’s  total  application 
acceleration  needs. 

“For  us  to  invest  in  a  new  technology,  it  must  improve  the 
performance  of  all  of  our  applications,  including  email,  web, 

SQL  database  transactions  and  the  transfer  of  backup  files.  We 


HER  PEAK  RESULTS 


■  20x  reduction  in  web  traffic 

■  30x  improvement  in  file  transfer 

■  Toll  grade  voice  quality  across  WAN 

■  Saved  nearly  $360,000  per  site  in  hardware,  software, 
facility  and  support  costs 

■  Save  $20,000  per  year  using  VoIP 


cannot  cost-justify  a  separate  solution  for  every  application  in 
our  network,”  added  Nabors. 

Building  a  Solid  Foundation 

Ultimately,  Quality  Built  selected  Silver  Peak’s  NX-3500  appliances. 

Silver  Peak  appliances  leverage  data  reduction  to  eliminate 
the  transfer  of  duplicate  information  across  the  Quality  Built 
Wide  Area  Network.  The  Silver  Peak  solution  uses  a  technique 
called  “Network  Memory”™  to  remember  every  byte  of  information 
that  traverses  the  WAN  between  Quality  Built  offices.  Network 
Memory  recognizes  duplicate  patterns  in  real-time 
and  sends  references  across  the  WAN  that  enable  the  information 
to  be  delivered  locally  by  remote  Silver  Peak  appliances.  This 
reduces  WAN  traffic  by  over  99%  and  improves  perceived 
application  response  time. 

“We  saw  a  20x  reduction  in  web  traffic,"  professed 
Nabors.  “In  addition,  30  minute  file  transfer  times 
were  reduced  to  less  than  1  minute.” 

Silver  Peak  also  provides  Quality  of  Service 
(QoS)  features  that  can  be  used  to  prioritize 
time-sensitive  voice  traffic.  This  helped  Quality 
Built  eliminate  virtually  all  distortion  on  VoIP  calls 
across  their  WAN. 

Hardware-based  encryption  of  local  data 
stores  enabled  Quality  Built  to  confidently  replace  servers  with 
new  acceleration  appliances. 

“The  last  thing  we  wanted  to  do  was  to  improve  application  perfor¬ 
mance  at  the  expense  of  data  security,"  added  Nabors. 

Quality  Built  decided  to  deploy  Silver  Peak  NX  appliances  in  all 
locations.  The  security,  compliance,  cost  and  management  savings 
that  Quality  Built  achieved  by  centralizing  file,  email,  VoIP,  web,  and 
SQL  applications  more  than  justified  the  expenditure  in  network 
acceleration  appliances.  In  addition,  Silver  Peak  enabled  Quality 
Built  to  maximize  the  company’s  investment  in  strategic  applica¬ 
tions,  such  as  VoIP. 

“Our  WAN  can  now  handle  any  application  that  we  throw  at  it,”  said 
Nabors.  “To  a  company  that  is  in  the  business  of  managing  risk,  that 
type  of  assurance  goes  a  long  way.” 


FOR  MORE  DETAILS 

For  more  information  on  Quality  Built’s 
case  study,  including  a  detailed  three- 
year  cost  savings  analysis,  visit: 
www.silver-peak.com/quality_built 

Call:  888-598-7325  (toll  free) 

or +7  650-331-3581  ( international ) 

0 

Silver  Peak 

QUALITY  BUILT’S  CHALLENGES 


■  Poor  web,  e-mail,  and  file 
performance  across  WAN 

■  Stringent  data  replication 
needs  between  locations 

■  Noticeable  issues  with 
VoIP  quality  across  WAN 
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CDW  360824 


COW  851656 


CDW  875295 


where  Information  lives 


The  Storage  Solutions  You  Need  When  You  Need  Them. 

Today,  with  more  data  being  stored,  more  assets  are  at  stake.  And  there  is  a  big  difference  between  storage  and 
•secure  storage.  CDW  has  storage  and  backup  specialists  who  will  work  with  you  to  find  the  right  solution  for  your 
Hi:. ;  set-up.  Then,  we'll  draw  from  a  full  line  of  top-name  storage  technology  so  you  can  increase  capacity  and  reduce 
rifik.  So  call  today  and  make  sure  your  data  and  your  company  are  secure. 


tc?  “  jgtuy 


Ml  HP  Smart  Buy  instant  savings  reflected  in  price  shown;  HP  Smart  Buy  savings  based  on  a  comparison  of  the  HP  Smart  Buy  price  veisus  the  standard  list  price  of  an  identically  configured  product  if  purchased  sepa- 
ratefy  savings  may  vary  based  on  channel  andtor  direct  standard  pricing  Includes  1 -year  Enterprise  Maintenance  (24x7  technical  phone  support  and  upgrade  protection).  Offer  subject  to  CDWs  standard  terms 

and  conditions  of  sale,  atlailabie  at  CDW.com.  ©  2006  CDW  Corporation 


The  Right  Technology.  Right  Away. 


CDW.com  •  800.399.4CDW 

In  Canada,  call  888.898. CDWC  •  CDW.ca 


Treat  secure  storage  as  a  priority 

(And  you  won't  have  to  treat  lost  data  as  a  tragedy.) 


SMART  BUY  -  $25 
Instant  Savings’ 


HP  ProLiant  ML1 10 
G3  Series  Server 


CA  BrightStor  Hierarchical  Storage  Manager 


•  Intel7  Celeron  Processor  (2.53GHz) 

•  Memory:  512MB  std.,  8GB  max. 

•  80GB  non  hot-pluggable  SATA  hard  drive 

•  48X  CD-ROM  drive 

•  Provides  all  the  relevant  server  features  in 
an  easy-to-use  package 


Policy  driven  data  management  across  storage  tiers 
Simple  administration  via  GUI  to  set  policies  and  rules 
Enables  storage  virtualization  of  central  storage  pool 
Manages  storage  growth 

Reduces  backup  times  and  improves  operational  efficiency 


EMC  FullTime  RepliStor0 


•  Protects  and  secures  Windows  data  in  remote  and  local  office 
locations  by  moving  it  to  a  centralized  location  for  backup 

•  Use  for  disaster  recovery  protection,  consolidating  data  for 
offline  data  backup,  distributing  data  across  systems  and 
creating  secondary  copies  of  data  for  decision  support 

•  Real-time  data  replicator 


*569 


$4500! 


EMC2 


$2499 


THE  NEW  CEILING-MOUNTED  CM  1 2 

THE  PERFECT  COOLING  SOLUTION 
FOR  CRAMPED  SERVER  ROOMS 


Warning  Signals 
&  Audible  Alarms  for 
Condensation  Overflow 


Conveniently  Controlled  by 
Most  Off-the-Shelf  Thermostats 


15.5" 


Built-in  10" 


2.7"  Flange  Depth 
for  Easy  Duct 
Installation 


Works  witn 
Fire  Alarm  Controls”^ 
for  Safety  Shut-Off 


Connects  to  Building 
Control  System 


Standan 
I  Internal- f 


With  over  20  years  of  server  room  spot 
cooling  experience,  MovinCool  is  uniquely 
qualified  to  deliver  the  perfect  small-space 
solution  —  the  innovative  new  CM  1 2. 

Featuring  the  shortest  top-to-bottom 
profile  in  the  industry,  the  CM  1 2  fits  into 
virtually  any  drop-ceiling.  Adding  10,500 
BTU/h.  of  cooling  has  never  been  so  quick 
and  easy! 

Call  today  for  more  information  on  the 
space-saving  CM  1 2  —  the  innovative  new 
spot  cooling  solution  that  goes  above  and 
beyond  all  others. 

800-264-9573 

www.movincool.com 


Built-in 

Mounting  Brackets 
Designed  for  Off-the-Shelf 
Mounting  Hardware 


Wide  Operating  Range 


THE  ONLY  SPOT  COOLER 
WITH  ITS  FOOTPRINT 


ON  THE  CEILING. 


ff  HE  NEW  CEILING-MOUNTED  CM  1 2 

T>  PERFECT  COOLING  SC  'JTION 


FO  CRAMPED  SERVER  ROOMS 


Warning  Signals  Conveniently  Controlled  by 

&  Audibi  e  Alarms  for  Most  Off-the-Shelf  Thermostats 

Condensation  Overflow  • 


27"  Flange  Depth 
for  Easy  Duct 
Installation  ' 


With  over  20  years  of  server  room  spot 
cooling  experience,  MovinCool  is  uniquely 
qualified  to  deliver  the  perfect  small-space 
solution  —  the  innovative  new  CM  1 2. 

Featuring  the  shortest  top-to-bottom 
profile  in  the  industry,  the  CM  1 2  fits  into 
virtually  any  drop-ceiling.  Adding  10,500 
BTU/h.  of  cooling  has  never  been  so  quick 
and  easy! 

Call  today  for  more  information  on  the 
space-saving  CM  12  —  the  innovative  new 
spot  cooling  solution  that  goes  above  and 
beyond  all  others. 

800-264-9573 

www.movincool.com 


Mounting  Brackets 
Designed  for  Off-the-Shelf 
Mounting  Hardware 


Wide  Operating  Range 


CM  12  -  ENGINEERED  TO  SAVE  SPACE,  TIME  AND  COST 


SAVE  SPACE 

•  Mounts  in  ceiling,  eliminating  need  for 
floor  space 

•  Perfect  for  equipment  rooms  and  small 
server/telecom  closets 


SAVE  TIME 

•  Designed  for  quick  and  easy 
installation  with  built-in  flanges  and 
mounting  brackets 

SAVE  COSTS 

■  Quick  installation  reduces  labor  costs 
Spot  cooling  is  an  energy  efficient 
alternative  to  central  air  conditioning 


A 


Connects  to  Building 
Control  System 


CMI2- THE  COOLING  SOLUTION  THAT'S 
OVER  EVERYONE’S  HEAD 


TECHNICAL  SPECS  CM  1 2 


Cooling  Capacity  Rating  Condition  80  F  50 ^RH  (Evaporator)  1 0,500  Btll/h* 

95°F  40%RH  (Condenser) 

Voltage  Requirement  I  Phase,  I  I  5V 


Electrical  Characteristics 


Total  Power  Consumption 
Current  Consumption 
Recommended  Fuse  Size 
Min.  -  Max.  Voltage 


1 .23  kW 
I  1 .9  amps 
15  amps 
105  -  125 


h 


Evaporator  Fan 

Max.  Air  Flow  -  high/low  —  typical  installation 

Max.  External  Static  Pressure 

324  CFM/228  CFM 

0.16  IWG 

Condenser  Fan 

Max.  Air  Flow  -  high/low  —  typical  installation 

Max.  External  Static  Pressure 

700  CFM/370  CFM 

0.12  IWG 

Refrigerant 

Type/Charge 

R-22/I.I4  lb 

Dimensions 

Wx  D  x  H 

35  x  23  x  15.5  in 

Weight 

Net  Weight/Shipping  Weight 

121/140  lb 

Condensate  Pump  Capacity 

Pump  Rate/Head 

5  gal/hr  /  4  ft 

Operating  Conditions 

Min.  -  Max.  {@50%  rh) 

65  -  95°F  (Evaporator)/65  -  1 13”F  (Condenser)” 

Max.  Duct  Length 

Cold  Duct  Hose  (Evaporator) 

Hot  Duct  Hose  (Condenser) 

20  ft 

10  ft 

Max.  Sound  Level  Typical  Installation  52  dB 


Wall  thermostat  and  mounting  nardware  not  included.  ©2006  DENSO  Sales  California,  Inc  MovinCool.  Spot  Cool  and  Office  Pro  are  registered  trademarks  of  DENSO  Corporator 
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All  specifications  subject  to  change  without  notice. 

*  Actual  performance  varies  with  installation  configuration. 


MOVINCOOL  -  THE  #1  LINE 
OF  SPOT  COOLING  SOLUTIONS 


CLASSIC  &  CLASSIC  PLUS 


OFFICE  PRO 

M 


Industrial  strength  cooling  for  workers,  warehouses  and 
manufacturing  facilities.  Ideal  for  the  hottest  environments, 
including  production  lines,  outdoor  events  and  processes. 
The  Classic  and  Classic  Plus  lines  offer  6  models  ranging  in 
capacity  from  1 0,000  to  60,000  BTU/h. 


The  perfect  MovinCool’s  stylish  line  of  high<apacity  spot  coolers.  Six  model : 
plug-and<hill  choose  from,  with  a  range  that  kicks  out  anywhere  from  9,600 
59,500  BTU/h  of  quick-chilling  air  to  keep  server  and  equipme 
rooms  cool  and  critical  data  up  and  running. 


portable 
cooler 
for  small, 
individual 
hot  spots. 


Jiss/idlaj*aaJ 


lich  cooling  you  need,  no  matter  where  you  need  it,  MovinCooPs  got  you  covered, 
our  portable  models  in,  plug  it  in,  and  switch  it  on.  Then  let  the  cooling  trend  begin! 
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HET  INFRASTRUCTURE 

SECURITY  ■  SWITCHING  ROUTING  ■  VPNS  ■  BANDWIDTH  MANAGEMENT  Si  VOIP  K  WIRELESS  LANS 


Short  Takes  I  InSite: 


Coffee  chain  brews  up  POS  gear 


Coffee  operations 


Coffeehouse  retailer  Caribou  Coffee  Co.  is  upgrading  its  sales  terminals 
and  kitchen  units  with  IBM's  SurePOS  500  point-of-sale  systems  and  IBM 
Anyplace  Kiosk  units. 

Caribou  Coffee 


•  Compact  kiosks  eliminate  the  need  for  separate  display  and 
processing  units,  which  makes  cable  management  easier. 

•  Anyplace  Kiosk  units  have  enough  internal  processing  power 
and  memory  to  act  as  backup  for  managers'  workstations. 


corporate  headquarters 


CARiBOU  COFFEE 

a 


T-1,  DSL  or  56K 
frame  connection 


•  SurePOS  systems  don't  require  a  separate  server  and  do  double  duty  as  sales  registers  and  managers' 
workstations  for  handling  operational  and  reporting  tasks. 

•  SurePOS  terminals  have  extra  ports  for  future  upgrades,  such  as  a  move  to  contactless  payment  technology. 


■  NetGear  announced  last  week  its 
ProSafe  stackable  switches.  These 
include  24-  and  48-port  10/100/ 
1000Mbps  Layer  3  switches,  each 
with  four  slots  of  optional  10G 
Ethernet  uplinks.  The  24-port 
GSM7328S  and  48-port  GSM7352S 
switches,  which  cost  $2,790  and 
$4,600  respectively,  support  IEEE 
802.1x  port-based  authentication  and 
access-control  lists  for  security  fea¬ 
tures,  as  well  as  full  Layer  3  routing. 
For  10G  Ethernet,  a  ProSafe  AX741 
10-Gigabit  adapter  and  optical  mod¬ 
ules  can  be  added.  The  adapter 
costs  $600;  the  AXM751  short-reach 
10G  module  costs  $2,790,  and  the 
long-range  AXM752  fiber  modules 
cost  $3,765. 

■  RSA  Security  last  week  acquired 
PassMark  Security,  a  privately 
held  provider  of  authentication  soft¬ 
ware,  for  $44.7  million  in  a  deal  con¬ 
sisting  of  $9  million  in  cash  and  the 
balance  in  RSA  common  stock. 
PassMark’s  authentication  software 
is  used  primarily  by  financial  institu¬ 
tions  to  offer  customers  a  stronger 
form  of  authentication  than  pass¬ 
words;  It  asks  them  to  identify 
images  and  phrases,  a  process  that 
also  helps  thwart  phishing  attacks 
by  validating  the  Web  site  to  the  cus¬ 
tomer.  RSA  Security  last  December 
began  branching  out  beyond  its  tra¬ 
ditional  expertise  when  it  acquired 
Cyota,  whose  combined  products 
and  services  are  used  mainly  by 
banks  for  risk-based  fraud  analysis 
and  prevention. 

■  Alert  Logic,  a  managed-security 
service  provider,  announced  last 
week  it  now  supports  patch  man¬ 
agement,  network  quarantining  and 
encrypted  traffic  monitoring 
through  Network  Protection  on 
Demand,  an  outsourcing  service 
combining  on-premise  appliances, 
software-as-a-service  and  person¬ 
nel  for  monitoring.  Other  services 
from  Alert  Logic  include  intrusion 
detection  and  vulnerability  assess¬ 
ment.  The  managed  security  ser¬ 
vices  start  at  $500  per  month. 


BY  ANN  BEDNARZ 

To  demonstrate  the  ruggedness  of  IBM’s 
point-of-sale  gear,  sales  executives  held 
display  screens  under  running  water. 
Steven  Bolduc,  senior  manager  of  POS 
and  technical  support  at  Caribou  Coffee 
Co.,  was  impressed. 

“For  a  coffee  company,  that’s  big,”  Bolduc 
says.  Spills  are  unavoidable  in  Caribou’s  400 
retail  coffee  shops,  and  the  IT  gear  has  to  be 
able  to  withstand  frequent  dousing.  Size  is 
also  a  concern:  Some  of  the  retail  stores  are 
small,  and  service  devices  have  to  do  dou¬ 
ble  duty  as  managers’  workstations  for  han¬ 
dling  operational  and  reporting  tasks. 

After  researching  its  options,  Minneapolis- 
based  Caribou  settled  on  IBM’s  SurePOS 
500  terminals  and  IBM  Anyplace  Kiosk 
units,  both  of  which  run  Windows  XPThe 
new  SurePOS  500  terminals  are  for  em¬ 
ployees  to  take  orders  and  payments.  In 
prep  areas,  the  Anyplace  Kiosk  units  are 
Caribou’s  kitchen  video  units,  displaying 
customer  orders  waiting  to  be  filled. 

Caribou  has  used  POS  hardware  from 
IBM  since  its  first  stores  opened  in  1992. 
Bolduc  continually  swaps  out  older  gear  for 
newer,  often  repurposing  the  older  devices. 
“There’s  always  some  sort  of  turnover”  he 
says.  “When  I  get  a  new  terminal,  I  try  to 
change  the  other  hardware  to  a  different 
area  and  get  some  more  life  out  of  it.” 

The  SurePOS  500  terminals  Bolduc  is 
rolling  out  today  have  touchscreen  dis¬ 
plays  and  enough  processing  power  and 
memory  to  eliminate  the  need  for  a  sepa¬ 
rate  back-office  server.  If  a  network  con¬ 
nection  is  lost  —  the  stores  are  linked  to 
corporate  headquarters  via  T-1,  DSL  or  56K 
frame  connections,  depending  on  service 
availability  —  the  SurePOS  terminals  can 
continue  handling  customer  transactions. 

Expandability  was  a  key  factor  in  the 
selection. “It  has  to  have  enough  power  to 
last,  and  it  has  to  have  enough  ports  for  us 
to  add  special  things,”  Bolduc  says.  For 
example,  Caribou  is  working  on  adding 
labels  to  its  cups, so  the  terminal  may  have 
to  support  a  label  printer.  The  company 
also  is  considering  adding  bar  codes  to 
some  of  its  retail  items,  so  a  bar  code 
reader  could  be  added  to  the  setup.  “All 
these  peripherals  have  to  be  able  to  attach 
to  that  system,”  Bolduc  says. 

The  SurePOS  500  terminal  is  designed  to 


allow  for  future  rollout  of  contactless  pay¬ 
ment  technology,  in  which  consumers 
make  purchases  by  waving  a  specially 
equipped  plastic  card,  key  fob  or  mobile 
phone  at  a  POS  terminal.  Account  informa¬ 
tion  is  encrypted  and  transmitted  wirelessly 
between  the  payment  device  and  the 
reader.  Caribou  isn’t  rolling  out  the  technol¬ 
ogy  yet,  but  it’s  on  Bolduc  s  radar.  “We  are 
looking  at  doing  contactless  for  speed  of 
service,”  he  says. 

Meanwhile,  form  factor  drove  Caribou’s 
selection  of  the  Anyplace  Kiosks.  Their  all- 
in-one  design,  in  particular,  appealed  to 
Bolduc.“I  like  the  size  of  the  screen,  and  it’s 
compact.  We  didn’t  have  to  get  a  PC  base 
for  it,  and  we  don’t  need  to  run  cables 
down  underneath  the  counter  to  a  proces¬ 
sor!’  The  kiosks  also  have  enough  capacity 
to  act  as  backup  stores  for  managers’ 
reporting  applications. 

In  small  shops,  kiosks  outfitted  with  a 
mouse  and  keyboard  can  do  double  duty 
as  a  manager’s  workstation  for  employee 
scheduling,  financial  reporting  and  plac¬ 
ing  supply  orders  over  the  Internet.“Some 
of  our  mall  stores  have  really  tight  quar¬ 
ters  and  virtually  no  office  to  work  in,” 
Bolduc  says. 


Calibou’s  POS  software  vendor  is 
POSitouch,  which  specializes  in  products 
for  the  hospitality  industry  Caribou  is  using 
a  third-party  outfit,  RDS  Systems,  to  install 
and  maintain  the  new  POS  hardware. 
Before  the  devices  go  out  to  the  field,  how¬ 
ever,  Bolduc  and  his  team  iron  out  any 
kinks.  “We  try  to  spend  as  much  time  per¬ 
fecting  the  systems  here  before  they  go  out. 
There’s  not  much  to  an  install  except  plug¬ 
ging  in  a  cable  and  turning  on  the  power. 
We’ve  done  all  the  troubleshooting  and  all 
the  customization  here.” 

The  most  difficult  part  of  the  project  is 
timing.  All  device  upgrades  have  to  happen 
after  the  stores  close  —  and  many  sites 
operate  from  6  a.m. until  1 1  p.m.“Everything 
has  to  be  operational  when  they  open  at  6” 
Bolduc  says. 

Caribou  plans  to  wrap  up  the  first 
phase  of  the  SurePOS  rollout  this  month. 
Early  next  year  the  company  plans  to  fin¬ 
ish  deploying  the  Anyplace  Kiosks  for  its 
kitchen  video  units.  Looking  ahead, 
Caribou  plans  to  deploy  additional 
kiosks  for  customer-facing  applications. 
For  example,  customers  in  a  few  pilot 
locations  can  use  a  kiosk  to  fill  out  a  job 
application. ■ 
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A  second  look  at  lucatel' 


TOLLY  ON  TECHNOLOGY 

Kevin  Tolly 


A  few  weeks  back  when  the 
Alcatel-Lucent  merger  news 
broke,  1  thought  for  a  moment  I’d 
encountered  a  time  warp.  Five 
years  ago,  I  wrote  in  my  column 
that  a  proposed  merger  of  the 
companies  was  a  bad  idea. 
(See  “The  techno-jumble  that 
would  be  Lucatel,”  www.nwdoc 
finder.com/3228.) 

I  can’t  remember  any  other 
merger  that  was  put  on  hold  for 
that  amount  of  time.  Of  course, 
Lucent,  Alcatel  and  the  world  of 
technology  have  changed  dra¬ 
matically  since  then.  This  time 


I’m  on  board,  for  the  same  pri¬ 
mary  reason  that  most  analysts 
cite  —  the  need  to  be  bigger  to 
compete  effectively  in  the  car¬ 
rier  market. 

What  I’ve  been  looking  for  is 
any  indication  of  how  this  new 
company  will  approach  the 
enterprise.l  haven't  seen  the  kind 
of  focus  that,  say  a  Nortel  is  mak¬ 
ing  there.  But  maybe  the  merger 
will  change  this. 

Today  most  companies  focused 
on  the  carrier  market  also  find 
ways  to  package  their  offerings 
for  high-end  enterprise  deploy¬ 
ments  or  scientific  and  cluster¬ 
computing  applications.  Whatever 
it  does  with  the  carriers,  the  new 
company  should  leverage  its 
brand  and  try  to  improve  its  stand¬ 
ing  with  enterprise  buyers.  With 
many  new  companies  developing 
components  or  stand-alone  net¬ 


work  products  —  but  having  no 
name  recognition  or  market  clout 
—  it  is  a  perfect  opportunity  for 
the  big  guys  to  act  as  an  OEM  of 
top-notch  technology  The  big  guy 
gets  new  gear  to  sell  with  little  or 
no  R&D;  the  little  guy  gets  sales  it 
could  never  close  on  its  own. 

But  what  about  culture?  Most 
analysts  cite  concerns  over  merg¬ 
ing  the  two  corporate  cultures. 
Few  of  these  analysts  remember 
these  companies  have  probably 
been  through  more  merger 
shock  than  most  others. 

While  both  have  been  quiet  on 
this  front  of  late,  when  the  two 
were  discussing  a  merger  in  2001 
they  were  in  the  process  of  trying 
to  digest  a  slew  of  companies 
between  them. 

I’m  sure  that  I’ve  forgotten 
some,  but  the  list  includes 
Ascend  (which  had  previously 


gobbled  up  Cascade),  Assured 
Access,  Newbridge  Networks, 
Packet  Engineers,  Prominet, 
Xedia  and  Xylan. Some  have  long 
been  repackaged  and  spun  off  or 
deactivated,  but  from  an  internal 
perspective,  this  merger  would 
likely  be  easier. 

Lucent  had  swallowed  up  sever¬ 
al  Israeli  firms,  and  Alcatel  did  the 
same  with  several  U.S.  firms,  so 
even  those  corporate  culture  dif¬ 
ferences  should  be  nothing  new. 

If  I  were  Pat  Russo,  the  Alcatel 
CEO-in-waiting,  my  biggest  worry 
would  be  Paris  in  the  spring.  Not 
the  weather,  but  the  riots.The  gov¬ 
ernment  and  big  employers  are 
in  a  quandary  because  of 
France’s  traditional  stability 
when  it  comes  to  employment. 

With  all  due  respect  to  any 
French  citizens  who  might  read 
this,  French  workers  seem  to 


want  it  all  —  stability  and 
opportunity.  Well,  it  can’t  hap¬ 
pen.  You  can’t  make  room  for 
eager,  well-educated  workers  if 
you  can’t  sweep  the  nonper¬ 
formers  off  the  payroll. 

France’s  social  structure  and 
its  inflexible  laws  related  to 
work  are  even  more  constricting 
than  Germany’s,  a  country 
known  for  powerful  blue-  and 
white-collar  unions. 

It  is  going  to  be  hard  for  the 
new  company  to  be  as  nimble  as, 
say,  Siemens  —  which  in  itself  is  a 
tough  thing  to  imagine.  Note  to 
Russo:  Enjoy  the  weather  while 
you  can. 

Tolly  is  president  of  The  Tolly 
Group,  a  strategic  consulting  and 
independent  testing  company  in 
Boca  Raton,  Fla.  He  can  be 
reached  at  ktolly@tolly.com. 


interop:  BorderWare  to  unify  security  appliances 


BY  CARA  GARRETSON 

At  Interop  this  week,  security  vendor  BorderWare  will 
detail  plans  for  integrating  its  new  Infinity  platform  into  its 
existing  firewall,  Session  Initiation  Protocol  and  instant¬ 
messaging  security  appliances. 

Later  this  year,  BorderWare  plans  to  include  Infinity 
with  its  firewall, SIP  and  IM  appliances  so  customers  can 
set  policies  for  traffic  flowing  across  all  of  these  chan¬ 
nels  and  manage  all  of  these  devices  through  a  single 
interface,  says  Andrew  Graydon,  BorderWare  CTO.  The 
Infinity  features  have  been  integrated  into  BorderWare’s 
MXtreme  6.0  Mail  security  appliance,  which  was 
released  last  November. 

BorderWare  describes  Infinity  as  a  content-security  plat¬ 
form  that  protects  VoIR  e-mail,  IM  and  Web  traffic  from 
threats  while  ensuring  compliance  by  monitoring  out¬ 
bound  communications.  Companies  can  use  Infinity  to 
enforce  policies,  monitor,  report  and  audit  on  all  these  dif¬ 
ferent  types  of  traffic,  Graydon  says. 

Being  able  to  protect  communications  that  traverse  a 
range  of  protocols,  particularly  SIP  in  an  integrated 
fashion  sets  BorderWare  apart  from  the  competition, 
says  one  analyst. 

“I  think  BorderWare  is  fairly  unique,  particularly 
because  of  their  inclusion  of  VoIP  protection  in  the 
messaging-management  mix,”  says  Michael  Osterman, 
president  of  Osterman  Research,  adding  that  protecting 
the  SIP  protocol  from  threats  will  become  more  impor¬ 
tant  as  more  enterprises  implement  VoIP  “I  would 
expect  to  see  all  of  the  major  competitors  in  this  space 
offering  VoIP  protection  in  the  relatively  near  future.” 

BorderWare  competes  with  messaging-security  appli¬ 
ance  makers,  including  Barracuda,  CypherTrust,  IronPbrt, 
Mirapoint  and  Symantec. 

The  Infinity  platform  includes  BorderWare  Security 
Network,  a  reputation  service  that  analyzes  the  behavior 
of  IP  addresses  sending  across  SMTP  HTTP  IM,  FTP  and 


SIP  protocols,  Graydon  says,  pointing  out  that  most  com¬ 
petitors  analyze  only  e-mail  traffic. 

The  network  collects  data  about  sending  IP  addresses 
from  BorderWare  appliances  installed  at  customer  sites 
and  looks  for  patterns  that  indicate  trouble.  For  exam¬ 
ple,  sending  out  thousands  of  e-mails  at  once  usually 
indicates  spam.  Using  pattern  and  behavior  detection, 
BorderWare  Security  Network  can  block  as  much  as 
60%  of  all  threats  before  they  enter  the  customer’s  net¬ 
work,  Graydon  says. 

Infinity  also  will  let  another  type  of  appliance  —  such 
as  BorderWare’s  mail  appliance  —  share  capacity  with 
the  company’s  IM  appliance.  If,  for  example,  an  organi¬ 


Phishers  employ  VoIP 

BY  CARA  GARRETSON 

Small  businesses  and  consumers  aren’t  the  only  ones 
enjoying  the  cost  savings  of  switching  to  VoIPAccording 
to  messaging-security  company  Cloudmark,  phishers 
have  begun  using  the  technology  to  steal  personal  and 
financial  information  over  the  phone. 

Earlier  this  month,  Cloudmark  trapped  an  e-mail 
phishing  attack  in  its  security  filters  that  appeared  to 
come  from  a  small  bank  in  a  big  city  and  directed 
recipients  to  verify  their  account  information  by  dial¬ 
ing  the  included  number.  (The  Cloudmark  user  who 
received  the  e-mail  and  alerted  the  company  knew  it 
was  a  phishing  scam,  because  he’s  not  a  customer  at 
this  bank.) 

Usually  phishing  scams  are  e-mails  that  direct  unwitting 
recipients  to  a  Web  site  to  capture  their  personal  or  finan¬ 
cial  information.  But  because  much  of  the  public  is  learn¬ 
ing  not  to  visit  these  Web  sites,  phishers  believe  asking 
recipients  to  dial  a  phone  number  instead  is  novel 


zation  sees  an  increase  in  mail  volume,  instead  of  pur-: 
chasing  an  additional  SMTP  appliance,  it  could  use 
untapped  capacity  on  its  IM  appliance.This  is  achieved 
by  configuring  a  set  of  devices  into  a  single  messaging 
security  cluster  that  appears  to  be  one  gateway, 
Graydon  says. 

Additionally,  customers  can  leverage  the  included  clus¬ 
ter-management  interface  to  administer  the  appliances, 
he  says,  saving  the  cost  of  having  to  acquire  a  dedicated 
system  for  management. 

BorderWare  plans  to  release  Infinity  modules  for  its 
HTTP  and  IM  appliances  this  fall.  MXtreme  6.0,  which 
includes  an  Infinity  module,  is  priced  starting  at  $4,750.  ■ 


in  new  scam  model 

enough  that  people  will  do  it,  says  Adam  O’Donnell, 
senior  research  scientist  at  Cloudmark. 

That’s  where  VoIP  comes  in.  By  acquiring  a  VoIP 
account,  associating  it  to  a  phone  number  and  backing  it 
up  with  an  interactive  voice-recognition  system  and  free 
PBX  software  running  on  an  inexpensive  PC,  phishers 
can  build  phone  systems  that  appear  as  elaborate  as 
those  used  by  banks,  O’Donnell  says.“They’re  leveraging 
the  same  economies  that  make  VoIP  attractive  for  small 
businesses,”  he  says. 

Cloudmark  has  no  proof  that  the  phisher  in  this  exam¬ 
ple  was  using  a  VoIP  system,  but  O’Donnell  says  it’s  the 
only  way  that  staging  such  an  attack  could  make  eco¬ 
nomic  sense  for  the  phisher. 

The  company  expects  to  see  more  of  this  new  form  of 
phishing.  Once  a  phished  e-mail  with  a  phone  number  is 
identified,  Cloudmark’s  security  network  can  filter  in¬ 
bound  e-mail  messages  and  block  those  that  contain  the 
number,  O’Donnell  says.B 
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If  you  don't  take  control  of  your  data, 

someone  else  will. 
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INTRODUCING  THE  SHARP  MX-SERIES.  These  color  MFPs  help  prevent  sensitive 
information  from  falling  into  the  wrong  hands  by  providing  two  layers  of  advanced  security. 
First  they  encrypt  digital  information,  then  they  overwrite  the  disk.  With  this  level  of 
protection,  it's  no  wonder  Sharp  won  BERTL's  Best  Security  Solutions  Suite  for  2005  and  the 
BLI  award  for  "IT  Friendliness."  Be  secure.  Be  Sharp.  Visit  sharpusa.com/security 
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ENERGY  STAR 


As  an  ENERGY  STAR® 
Partner,  Sharp  has 
determined  that  this 
product  meets  the 
ENERGY  STAR*  guidelines 
lor  energy  efficiency. 
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SPECIAL  FOCUS  NETOORKACCESS 

NAC  will  make  a  splash  at  Interop 


The  enforcer 


At  Interop,  InfoExpress  is  announcing.  Dynamic 
NAC  (DNAC),  software  that  uses  existing  servers 
and  PCs  as  security  enforcement  points  on  the 
network. 


I  Each  end  device  is  given  a  DNAC  client  that  scans  the  machine 
to  determine  whether  it  meets  established  corporate  security 
policies.  Each  time  a  user  logs  in,  the  DNAC  client  scans  the 
machine  and  reports  the  results  to  a  DNAC  policy  server. 


DNAC  client 


Policy  server 


& 


Then  the  enforcer  allows  the  device 
on  the  network.  Any  device  that  is 
rejected  is  sent  to  a  remediation  server. 


0 


The  DNAC  policy  server  checks 
the  results  and  if  clean,  the 
machine  is  granted  access. 
Access  or  denial  is  performed 
by  another  machine  on  the 
network  segment  that  has  been 
designated  as  an  enforcer  Using 
capabilities  contained  in  the  DNAC 
client,  the  enforcer  intercepts 
all  traffic  from  machines  logging 
in  until  it  can  certify  the  policy 
server  has  cleared  them. 


SOURCE:  INFOEXPRESS 


Enforcer  machine 


BY  TIM  GREENE 

IT  executives  looking  to  control  access 
to  their  networks  should  have  two 
more  options  to  consider  after 
announcements  this  week  at  Interop 
Las  Vegas. 

InfoExpress  and  Vernier  Networks  are 
scheduled  to  introduce  network  access 
control  (NAC)  products  that  deny  or  allow 
network  access  based  on  whether  users 
and  their  machines  are  qualified,  and 
enforce  policies  they  must  follow  once 
they  are  admitted. 

Both  companies  are  coming  out  with 
gear  that  delivers  NAC  today  by  adding 
hardware  and  software  to  existing  net¬ 
works  but  not  requiring  upgrades  to  net¬ 
work  infrastructure,  an  expensive  and  dis¬ 
ruptive  downside  to  some  other  NAC 
schemes. 

A  sense  of  corporate  urgency  surrounds 
NAC,  as  shown  by  phenomenal  sales  pro¬ 
jections  for  NAC  equipment.  Infonetics,  for 
example,  expects  the  market  for  NAC 
devices  to  grow  from  $323  million  last 
year  to  $3.9  billion  at  the  end  of  2008.That 
growth  is  fueled  by  a  desire  to  get  NAC  in 
place  quickly,  which  in  most  cases  means 
installing  NAC  appliances  in  networks, 
according  to  Infonetics. 

“The  biggest  [growth]  is 
in  NAC  enforcement  ap¬ 
pliances,  whose  share  of 
the  market  nearly 
triples,”  says  Jeff  Wilson, 
principal  analyst  for 
Infonetics. 

Infonetics  breaks  NAC 
designs  into  three  com¬ 
ponents:  clients  that  check  end  devices 
for  compliance,  enforcement  points  that 
impose  policies  and  back-end  servers  that 
dictate  policies  to  the  enforcement 
points.  NAC  identifies  and  authenticates 
users  and  machines,  ensures  machines 
meet  security  policies, sets  policies  based 
on  user  and  machine  status,  and  grants 
access  to  specified  resources. 

An  Infonetics  survey  recognizes  Cisco’s 
Network  Admission  Control,  Microsoft’s 
network  access  protection  (NAP)  and  the 
Trusted  Computing  Group  (TCG)  consor¬ 
tium’s  Network  Connect  as  the  three  net¬ 
work  access  control  schemes  best  known 
among  IT  executives. 

TCG  is  working  on  a  standardized  NAC 
implementation,  while  the  other  two  are 
working  on  their  own  architectures  with 
partners.  Vernier  and  InfoExpress  are 


members  of  TCG,  and  they  support  NAP 
InfoExpress  participates  in  Cisco’s  NAC 
program. 

At  Interop,  InfoExpress  is  set  to 
announce  Dynamic  NAC  (DNAC),  soft¬ 
ware  using  existing  servers  and  PCs  as 
enforcement  points  on  a  network.  Each 
end  device  is  given  a  DNAC  client  that 
scans  the  machine  to  determine  whether 
it  meets  security  policies,  including  having 
a  patched  operating  system,  current  virus- 
signature  libraries  and  an  operating  per¬ 
sonal  firewall. 

Whenever  a  user  logs  on,  the  DNAC 
client  scans  the  machine,  reports  the 
results  to  a  DNAC  policy  server  and  gives 
the  machine  access  if  it  comes  up  clean. 
This  access  or  denial  is  performed  by 
another  machine  on  that  network  seg¬ 
ment  —  usually  a  server  or  PC  —  that  has 
been  designated  the  enforcer.  Using  capa¬ 
bilities  contained  in  the  DNAC  client,  the 
enforcer  intercepts  all  traffic  from 
machines  logging  on  until  they  certify  the 
policy  server  has  cleared  them.  Then  the 
enforcer  allows  them  on  the  network. 

Other  NAC  architectures  place  enforce¬ 
ment  in  access  switches  or  in  dedicated 
appliances,  says  Eric  Ogren,  an  analyst 
with  the  Enterprise 
Strategy  Group.  “With 
DNAC,  you  don’t 
upgrade  your  network 
by  putting  more  iron 
into  your  network.  It’s 
using  what’s  in  the  net¬ 
work  already]’  he  says. 

DNAC  is  a  feature  of 
InfoExpress’s  5.0  soft¬ 
ware  for  its  CyberGatekeeper  Server  NAC 
software  and  its  CyberGatekeeper  Policy 
Manage  software.  DNAC  costs  $49  per  seat 
and  is  scheduled  to  be  available  July  1 . 

In  contrast,  Vernier  makes  a  NAC  appli¬ 
ance  called  Edge  Wall,  which  sits  between 
access  and  backbone  switches  to  enforce 
access  policies  and  monitor  the  behavior 
of  endpoints  on  a  network.  The  company 
plans  to  announce  Edge  Wall  8800,  a  mod¬ 
ular,  four-slot  chassis  that  is  faster  than  its 
existing  EdgeWall  7000.The  old  model  was 
based  on  Intel  PC  hardware,  while  the  new 
platform  is  built  around  Octeum  16  MIP 
processors  made  by  Cavium. 

This  gives  the  device  40Gbps  of  through¬ 
put,  which  is  necessary  to  handle  traffic 
coming  from  access  switches  on  Gigabit 
Ethernet  networks  and  pass  it  to  lOGbps 
core  switches, says  Dave  Passmore,  an  ana¬ 


lyst  with  the  Burton  Group. 

The  chassis  supports  six-port  Gigabit 
Ethernet  cards,  giving  the  chassis  room  for 
24  ports. 

The  8800  also  supports  a  new  intrusion- 
detection  and  -prevention  software 
engine  that  monitors  the  behavior  of 
machines  once  they  have  been  admitted 
to  a  network.  If  an  engine  detects  behav¬ 
ior  indicating, say, activity  of  a  worm,  it  can 
shut  down  that  port  or  isolate  the 
machine  on  a  subnet. 

EdgeWall  8800  is  scheduled  to  ship  in 
the  third  quarter  and  cost  $15,000  for  the 
chassis  plus  $15,000  for  each  card. 

Beyond  these  announcements,  the  show 
will  highlight  this  hot  technology  with  free 
NAC  classes  at  InteropLabs  and  clustered 
exhibits  by  vendors  in  the  show’s  Security 
Zone. 

Some  see  NAC  products  that  work  with 
existing  network  switches  as  a  stopgap 
until  customers  are  ready  to  upgrade  their 
switches.“From  a  cost  standpoint,  it  would 
be  less  expensive  to  put  it  in  the  switch. 
You  already  have  QoS  and  network  man¬ 
agement  in  switches,”  Passmore  says. 

In  addition,  the  technology  in  switches 
eliminates  extra  devices  on  a  network,  re¬ 
ducing  administrative  burdens. 

“It  makes  for  a  cleaner  architecture. 
There  are  fewer  parts  to  go  wrong.  These 
appliances  are  a  potential  failure  point,” 
Passmore  says. 


Research  by  Infonetics  predicts  network 
switches  will  become  the  most  commonly 
used  enforcement  point  for  NAC,  employ¬ 
ing  802.  lx  technology  to  enforce  policies 
at  individual  switch  ports. 

Ogren  says  the  road  to  NAC  being 
embedded  in  switches  could  be  long.  “I 
don’t  think  people  are  going  to  do  a  lot  of 
network  upgrades  just  to  get  NAC.  They 
will  upgrade  to  get  more  [LAN]  speed  or 
add  VoIP  but  not  for  NAC,”  Ogren  says. 
When  they  do  upgrade  for  whatever  rea¬ 
son,  then  they  will  look  to  switches  that 
support  access  enforcement.“But  that  will 
take  years.” 

For  customers  with  network  switches 
that  don’t  support  the  802.  lx  standard 
used  in  most  network-based  NAC  plans 
including  Cisco’s  NAC,  the  most  likely 
place  to  install  NAC-capable  switches  is  in 
new  locations  where  a  network  is  being 
built  from  scratch,  Passmore  says. 

He  says  in  dealing  with  Burton  Group’s 
corporate  clients,  he  has  learned  Cisco 
customers  like  the  idea  of  Cisco  NAC  but 
balk  at  having  to  upgrade  their  networks 
to  support  it. “There’s  a  lot  of  resistance  to 
that,”  he  says. 

Therefore,  many  customers,  at  least  short 
term,  are  choosing  NAC  appliances,  he  says. 
“They  present  themselves  as  an  alternative. 
It  gives  you  a  choice.You  could  use  them  for 
many  many  years  or  you  could  replace 
them  as  you  see  fit,"  Passmore  says.  ■ 


Securing  growth 

Infonetics  projects  that  the 
market  for  NAC  devices  will 
grow  from  $323  million  last 
year  to  $3.9  billion  at  the  end 
of  2008. 
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Microsoft  takes  aim  with 
Crossbow  mobile  tech 


Hitachi  pitches  path 
to  virtualize  storage 


BY  JEREMY  KIRK,  IDG  NEWS  SERVICE 

Microsoft,  which  has  been  carving  a 
larger  slice  of  the  market  for  mobile 
device  operating  systems,  is  developing  a 
new  product  code-named  Crossbow  that 
will  incorporate  instant  messaging, a  com¬ 
pany  executive  confirmed  last  week. 

Crossbow  would  have  strong  links  with 
Office  2007  and  Exchange  12,  Microsoft’s 
pending  new  office  application  suite  and 
e-mail  server,  says  Pieter  Knook,  senior 
vice  president  for  the  mobile  devices  and 
telecom  sector.  Crossbow  would  be  the 
successor  to  Windows  Mobile  5.0, 
released  last  May 

Crossbow  is  expected  to  take  aim  at  the 
Symbian  and  BlackBerry  operating  sys¬ 
tems.  It  will  contain  a  new  mobile  version 
of  Office  Communicator,  an  Office  2007 
enterprise  communications  application 
that  includes  instant  messaging  on  public 
and  private  networks,  Knook  says. 

“As  the  Office  [2007]  PC  versions  of 
those  applications  improve,  we’re  tracking 
that  on  the  Windows  Mobile  side,”  he  says. 
Knook  says  it’s  premature  to  say  when 
Crossbow  will  be  released  but  that  the 
company  plans  for  an  annual  release  of  a 
mobile  operating  system.  Such  systems 
are  complex  to  implement,  because  some 
operators  must  adjust  their  billing  systems 
to  accommodate  new  services,  which  can 
mean  a  six-  to  12-month  delay  after  a  re¬ 
lease,  he  says. 

That  process  is  nearly  complete  for  the 
push  e-mail  capability  of  Windows  Mobile 
5.0,  Microsoft’s  slow  assault  against  Black- 
Berry  e-mail  that  may  begin  to  bear  fruit. 
The  company’s  new  push  e-mail  capabili¬ 
ty  depended  on  software  upgrades  on  the 
telecom  operators’  side,  as  well  as  new 
versions  of  Exchange  Server  2003  and 
Windows  Mobile  5.0. 

Microsoft  is  counting  on  strong  connec¬ 
tions  with  device  manufacturers  to 
strengthen  its  position  with  enterprises 
using  Exchange  but  with  a  BlackBerry 
server. The  new  push  e-mail  would  enable 
those  companies  to  eliminate  the  Black¬ 
Berry  middleware,  which  also  would  con¬ 
solidate  their  support  structure,  Knook 
says. 

Microsoft  is  gaining  ground  with  Win¬ 
dows  Mobile  5.0,  but  Symbian  is  domi¬ 
nant  (see  graphic),  says  Nick  Spencer,  a 


Microsoft  and  the 
mobile  market 

Microsoft  is  looking  for  its 
upcoming  Crossbow  offering  to 
help  boost  its  share  of  the  mobile 
operating  system  market. 

Worldwide  mobile  operating  system 
market  (near  end  of  2005) 


7%  RIM  BlackBerry 
4.5%  Others 


(Totals  more  than  100%  because  of  rounding) 

SOURCE:  CANALYS.COM 


research  analyst  with  Canalys.com. 

BlackBerry,  with  about  5  million  cus¬ 
tomers,  still  is  favored  for  push  e-mail  by 
large  enterprises,  Spencer  says. 

Microsoft’s  market  reach  will  depend  on 
the  success  of  devices  such  as  Motorola’s 
Q,  a  BlackBerry-like  smart  phone  with  a 
full  qwerty  keyboard  running  on  Mobile 
5.0,  Spencer  says.  ■ 


ELIZABETH  MONTALBANO, 

IDG  NEWS  SERVICE 

A  group  of  self-titled  “political  activists" 
in  Massachusetts  has  begun  an  aggres¬ 
sive  campaign  to  get  browser  users  to 
switch  from  Microsoft’s  Internet  Explorer 
to  Mozilla’s  Firefox. 

The  campaign,  called  Explorer  De¬ 
stroyer,  takes  advantage  of  a  new  pro¬ 
gram  by  Google  to  pay  users  $1  for  each 
referral  to  Firefox  made  through  the 
Google  toolbar,  according  to  the  group’s 
Web  site,  www.explorerdestroyer.com. 


Diskless  offering 
costs  less  than 
internal  package. 

BY  JENNIFER  MEARS 

Hitachi  Data  Systems  aims  to  make  it  eas¬ 
ier,  and  more  cost  effective,  for  enterprises 
to  virtualize  storage  with  a  product  that 
consolidates  existing  data  stores  without 
requiring  customers  to  buy  more  disk 
capacity 

The  diskless  NSC55  is  one  of  the  first 
controller-only  offerings  in  an  industry 
where  most  virtualization  tools  come 
packaged  with  internal  storage,  analysts 
say. The  product  is  a  diskless  version  of  the 
TagmaStore  Network  Storage  Controller 
Hitachi  introduced  last  July,  which 
brought  high-end  storage  management 
features,  such  as  the  ability  to  virtualize 
external  storage,  do  logical  partitioning 
and  replicate  data  systemwide,  to  small 
and  midsize  companies.  The  diskless  ver¬ 
sion  includes  all  of  these  features,  minus 
the  internal  storage. 

“It  gives  customers  more  flexibility  in  that 
they  can  have  internal  storage  if  they  want, 
or  they  can  just  put  the  controller  into  an 
environment  where  they  already  have  suf¬ 
ficient  storage  capacity’  says  Randy  Kerns, 
an  independent  storage  analyst. 

Today  most  customers  are  seeing  storage- 
use  rates  that  hover  around  20%, according 
to  Claus  Mikkelsen,  chief  scientist  at 
Hitachi. The  NSC55  addresses  that  issue  by 


“You  already  want  people  to  switch  to 
Firefox.  Now’s  the  time  to  get  serious 
about  it,”  the  site  says. “Google  is  paying 
$1  for  each  new  Firefox  user  you  refer. . . . 
Now  you  can  advance  your  ideals,  save 
people  from  pop-ups  and  spyware  hell, 
and  make  some  serious  money” 

Google  did  not  return  calls  seeking 
comment  for  this  story,  but  the  search 
giant  offers  a  standard  $1  per  user  refer¬ 
ral  fee  to  Web  sites  that  generate  new 
downloads  of  Firefox  with  the  Google 
toolbar.  ■ 


separating  the  controller  from  the  com¬ 
modity  disks,  enabling  buyers  to  get  the 
management  features  they  want  without 
having  to  invest  in  unneeded  storage. 

The  NSC55,  for  example,  requires  a  mini¬ 
mum  of  five  disks,  nearly  a  terabyte,  of 
internal  capacity  and  is  priced  starting  at 
$150,000.  The  diskless  version  drops  the 
starting  price  to  $90,000. 

By  offering  the  diskless  version,  Hitachi 
hopes  to  provide  a  more  attractive  entry¬ 
way  to  storage  virtualization,  an  area  that 
has  been  slower  to  take  off  than  expected. 
In  addition,  the  product  should  give 
Hitachi  “a  foot  in  the  door”  with  customers 
who  may  want  to  add  internal  storage  to 
the  NSC55  as  their  storage  needs  grow, 
Mikkelsen  says. 

The  NSC55  competes  with  such  products 
as  StorEdge  6920  from  Sun,  which  is  priced 
starting  at  just  less  than  $160,000,  accord¬ 
ing  to  Sun’s  Web  site,  as  well  as  simila; 
products  from  EMC,  HP  and  IBM.B 


Firefox  backers  aim  to  ‘destroy'  IE 
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YOUR  BRANCH  OFFICES 
ARE  GROUNDED  —  AGAIN. 


Eliminate  application  delays  with  the  market  leader. 

With  Racketeer  WAN  optimization  appliances,  your  business-critical  applications  are 
cleared  for  take-off.  They  give  you  monitoring,  control,  acceleration,  and  management 
all  in  one,  convenient  appliance.  What's  more,  you  can  control  recreational  and 
malicious  traffic  to  further  improve  employee  productivity.  The  result?  Faster  access  to 
business-critical  applications  and  happier  branch  office  users. 
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Performance  Survival 
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To  learn  more,  please  visit  www.packeteer.com/takeoff. 
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Management  key  to  controlling  desktop 


BY  DENISE  DUBIE 

As  more  users  employ  desktop  search 
tools  from  Google,  MSN  and  Yahoo,  IT  man¬ 
agers  increasingly  must  establish  policies, 
standardize  tools  and  protect  their  networks 
from  data  exposure,  compliance  breaches 
and  poor  performance,  experts  say 

Desktop  search  tools  make  searching 
client  systems  data  stores,  multimedia  files, 
application  documents  and  e-mail  pro¬ 
grams  faster  and  easier.  But  these  con¬ 
sumer-oriented  tools  also  represent  a 
potential  risk  to  corporate  networks  if 
restricted  files  are  shared  or  users  gain 
unauthorized  access  to  improperly  secured 
documents. 

Worse  yet,  some  tools  such  as  Google 
Desktop  have  features  that  let  users  search 
across  multiple  computers  by  storing  index 
information  remotely  on  external  servers. 
Although  this  type  of  software  has  features 
that  let  users  exclude  directories  from  the 
search  domain,  many  might  not  do  so  with¬ 
out  proper  policies  in  place. 

“There  are  a  lot  of  consumer-oriented 
tools  like  Google  Desktop  that  users  want 
but  are  not  necessarily  good  for  the  busi¬ 
ness.  And  there  are  an  increasing  number 
of  consumer  products  —  such  as  iPods, cell 


■  IBM  is  building  new  storage-compres¬ 
sion  technology  into  its  forthcoming 
Viper  DB2  database  server  that  it 
says  can  cut  storage  needs  by  more 
than  half.  The  technology,  code-named 
Venom,  lets  database  administrators 
compress  database  tables’  rows  by 
scanning  for  duplicate  data  and  building 
dictionaries  to  assign  short,  numeric 
keys  to  those  entries.  According  to  IBM, 
this  compression  can  provide  disk,  I/O 
and  memory  savings;  beta  testers  have 
been  able  to  reduce  storage  needs  by 
more  than  50%.With  Viper,  which  is 
expected  to  ship  this  summer,  adminis¬ 
trators  can  opt  to  use  compression 
table  by  table,  as  not  all  applications 
benefit  equally  from  the  technology,  IBM 
says.  The  company  will  provide  tools  to 
let  administrators  estimate  potential 
savings  before  building  dictionaries. 


phones,  laptops  and  Zip  drives  —  that  can 
store  enterprise  data,”  says  Peter  Firstbrook, 
a  research  director  at  Gartner.  To  mitigate 
the  threat  of  exposing  critical  data,  First- 
brook  says  IT  managers  need  to  “get  really 
good  at  software  and  configuration  man¬ 
agement  so  they  understand  what  pro¬ 
grams  are  in  the  computing  fleet  and  get 
information  that  helps  them  understand 
the  impact.” 

Desktop  search  isn’t  the  first  technology 
users  have  brought  into  networks  that 
poses  security  and  performance  problems 
for  IT  managers.  For  example,  instant  mes¬ 
saging  and  peer-to-peer  file  sharing  pro¬ 
grams  have  prepared  many  network  man¬ 
agers  for  the  potential  performance  prob¬ 
lems  desktop  search  could  represent.And  it 
won’t  be  the  last,  according  to  Firstbrook. 

He  says  client  systems  management  soft¬ 
ware  from  such  companies  as  Altiris, 
LANDesk  and  Novell  help  customers  mas¬ 
ter  software  configuration  management  on 
desktops,  but  he  recommends  products 
such  as  Windows  Defender  Anti-Spyware  as 
a  good  example  of  a  tool  to  detect  spyware. 

Andrew  Abramczyk,  manager  of  IT  infor¬ 
mation  services  within  the  Operations  and 
Support  department  of  Erie  Insurance 


■  Lionbridge  has  introduced  Freeway 
2.0,  an  online  collaboration  tool  that 
lets  customers  work  more  efficiently 
with  Lionbridge  staff  and  translation 
partners.  Lionbridge  offers  localization 
and  translation  services  to  independent 
software  vendors  and  organizations 
with  software  applications  and  content 
in  multiple  locations  and  languages. 

The  Freeway  tool  lets  Lionbridge's 
international  translation  teams,  design 
teams  in  India,  testing  groups  in  China, 
and  desktop  publishing  teams  in 
Eastern  Europe,  Brazil  and  India  work 
together  in  real  time.  It  also  lets 
Lionbridge  distribute  work  to  different 
locations,  depending  on  where  it  can 
be  done  most  cost-effectively.  The 
completed  translation  is  imported 
automatically  into  the  client  system  for 
publishing. 


Group  in  Erie,  Pa.,  says  his  experience  with 
desktop  search  also  gave  him  some  experi¬ 
ence  with  spyware  —  which  in  turn  creates 
performance  problems  on  client  machines. 

“We  have  run  into  situations  where  peo¬ 
ple  have  downloaded  and  installed  these 
search  tools,  and  they  have  created  some 
havoc  —  mostly  with  respect  to  spyware,” 
Abramczyk  says.  “This  in  turn  causes  prob¬ 
lems  with  the  PC  not  performing  accept¬ 
ably  sometimes  to  the  point  where  we  have 
to  reimage  the  PC.  This  is  a  particular  sore 
point  for  my  group;  as  the  main  support  for 
the  desktops,  we  have  had  to  spend  a  great 
deal  of  time  getting  users’  PCs  rebuilt.” 

For  that  reason,  Abramczyk  says  his  com¬ 
pany  has  a  general  policy  restricting  users 
from  downloading  unauthorized  applica¬ 
tions  and  software.  These  can  be  detected 
quickly  by  comparing  desktop  images 
against  his  department’s  standard  image.Yet 
for  others,  best  practices  dictate  how  IT 
managers  should  deal  with  desktop  search 
downloads  until  they  perform  a  full  evalua¬ 
tion  of  the  software  available. 

“Our  current  policy  prohibits  users  from 
downloading  software  from  the  Internet,” 
says  James  Kritcher,  vice  president  of  IT  at 
White  Electronic  Designs,  in  Phoenix.  “This 
policy  exists  to  facilitate  the  orderly  testing 
and  deployment  of  software  and  patches  in 
our  environment.” 

Yet  industry  watchers  say  the  productivity 
benefits  of  desktop  search  software  could 
outweigh  the  risks  in  the  long  term.  With 
appropriate  policies  in  place,  network  man¬ 
agers  could  reap  the  benefits  of  desktop 
search  without  wreaking  havoc  on  their 
networks. 

“From  an  audit  perspective,  desktop 
search  is  currently  a  thorn  in  the  side, 
because  it’s  new  and  a  lot  of  products 
being  downloaded  are  beta  releases,” 
Kritcher  says.  Now  with  Sarbanes-Oxley 
requirements  to  keep  in  check,  he  says 
policies  that  perhaps  weren’t  as  strictly 
enforced  as  necessary  are  now  stringent 
and  restrict  the  download  of  “disruptive” 
technologies  onto  corporate  machines.  Yet 
such  policies  don’t  restrict  a  potential  stan¬ 
dardized  adoption  of  the  technology  by  IT 
departments,  following  proper  research 
and  testing. 

“Desktop  search  seems  to  have  a  lot  of 
momentum,  and  we  won’t  be  able  to  sim¬ 
ply  ignore  it.  We  try  to  meet  our  compli¬ 
ance  requirements  without  being  a  road¬ 


Dealing  with  desktop 
search  tools 

Industry  watchers  advise  IT 
managers  to  set  standards  with 
desktop  search  vendors,  establish 
in-house  policies  and  educate  users 
on  how  desktop  search  tools  can 
safely  be  used  within  their  networks. 

IT  managers  should  request  vendors  provide 
the  following . . . 

•  Notice  and  consent:  Inform  users  about  all 
aspects  of  the  software  and  ask  for  their  consent 
on  installation  and  changes  to  settings. 

•  Control:  Give  full  control  of  the  application 
installation  and  configuration  to  the  PC  owner. 

•  Privacy:  Do  not  collect  any  information 
automatically  or  refresh  any  component  of  the 
software  automatically  without  the  informed 
consent  of  the  user. 

•  Security:  Do  not  reduce  the  security  status  of 
a  PC  for  any  reason.  If  software  vulnerabilities 
are  discovered,  create  a  patch  or  workaround 
and  follow  proper  disclosure  procedures 
immediately. 

...  and  inform  users  about  their  rights  when 
downloading  desktop  search  tools. 

•  Know  what  software  is  loading  on  their  system 
and  how  to  prevent  or  allow  it. 

•  Limit  the  effect  of  the  software  on  other  software 
and  processes. 

•  Configure  software  the  way  they  want  it. 

•  Easily  identify  the  source  of  software  effects. 

•  Remove  software  they  no  longer  need. 

SOURCE:  GARTNER 


block  to  solving  a  legitimate  business 
need,”  Kritcher  says.’There  is  likely  a  legiti¬ 
mate  business  need, considering  the  rapid 
proliferation  in  the  enterprise.  We  would 
certainly  want  to  standardize  for  the  sake  of 
simplifying  application  deployment,  testing 
and  user  support.” 

At  LaunchPad  Communications  in  Los 
Angeles,  users  are  not  allowed  to  down¬ 
load  and  install  search  tools,  but  CIO  Chris 
Holbert  says  the  policy  is  in  place  to  pro¬ 
tect  the  network  and  give  the  IT  depart¬ 
ment  the  time  to  perform  an  adequate 
See  Search,  page  S3 
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Mac  OS  X  gets  wrong  kind  of  attention 


NET  INSIDER 

Scott  Bradner 


Recently  there  has  been  a 
growth  industry  in  pundits  whin¬ 
ing  about  the  security  of  the 
Apple  Mac  OS  X  operating  system. 
To  read  some  of  the  coverage,  you 
would  think  someone  deciding  to 
use  OS  X  instead  of  Windows 
would  have  to  be  dumber  than  a 
fence  post.  Methinks  the  security 
worries  are  rather  misplaced  and 
may  be  the  result  of  hyperventilat¬ 
ing,  nontechnical  reporters  and 
some  gloating  on  the  part  of 
Windows  users. 

One  would  have  to  be  dumber 
than  a  fence  post  to  assert  any  set 
of  software  as  complex  as  a  com¬ 


puter  operating  system  and  all  of 
its  application  programs  could 
ever  be  totally  secure.  Programs 
are  created  by  programmers, 
most  of  whom  are  human  and 
therefore  unlikely  to  generate 
perfect,  bug-free  code.  Bugs  in 
software  design  or  implementa¬ 
tion  are  what  lead  to  security  vul¬ 
nerabilities. 

Security  researcher  and  Colum¬ 
bia  professor  Steve  Bellovin  has 
said  most  security  problems  are 
caused  by  buggy  software 
(www.  nwdocfi  nder.com/ 
3229).  Anyone  who  has  ever  said 
Mac  OS  X  is  bug-free  and  because 
of  that  will  not  have  any  security 
vulnerabilities  was  smoking  some 
strong  herbs. 

But  that  said,  there  is  no  reason 
to  think  most  of  OS  X  should  be  as 
subject  to  vulnerabilities  as  is 
most  of  Windows.  Most  of  OS  X, 
including  most  of  its  more  than 


1,000  Unix  applications,  are  from 
open  source  BSD  Unix  and  the 
GNU  Project  (www.gnu.org/), 
both  of  which  have  been  beaten 
on  by  researchers  and  hackers  for 
years  (and  fixed  when  problems 
have  been  found). This  process  is 
more  likely  to  result  in  secure 
code  than  any  private,  corporate 
process  such  as  Microsoft  uses, 
where  the  code  has  had  nowhere 
near  as  many  eyes  reviewing  it. 

Sometimes  public  access  to 
source  code  means  a  hacker  finds 
something  to  exploit.  It  also 
means  exploits  can  be  quickly 
fixed.  The  nonpublic  parts  of  OS 
X,  including  Apple’s  own  applica¬ 
tions,  generally  should  have  the 
same  level  of  buggy  code  as  most 
of  Windows  —  Apple  program¬ 
mers  are  not  intrinsically  better 
than  programmers  working  else¬ 
where. 

Then  why  the  increased  buzz 


about  OS  X  security?  (Note  that 
even  though  the  buzz  has 
increased,  it  is  still  a  whisper  com¬ 
pared  with  discussions  about 
Windows  security:  A  search  on 
Google  News,  for  example,  returns 
64  hits  for  OSX  +  security  and 
7,300  hits  for  Windows  +  security) 

I  expect  a  major  reason  is  there 
is  a  lot  of  buzz  about  OS  X  and 
Apple  these  days;  too  many 
reporters  feel  just  writing  about 
good  news  is  not  good  for  their 
careers,  so  they  feel  they  have  to 
come  up  with  something  to  com¬ 
plain  about. 

The  buzz  also  has  excited  the 
hacker  community  to  try  to  tar¬ 
nish  the  Apple  image.  There  have 
been  a  few  actual  OS  X  attacks 
found  in  the  wild  (that  is,  the  soft¬ 
ware  is  being  used, not  just  a  secu¬ 
rity-expert  exercise)  but  not  many 
Last  1  read,  there  were  fewer  than 
five,  compared  with  many  thou¬ 


sands  for  Windows  (even  if  many 
were  exploiting  the  same  underly¬ 
ing  vulnerabilities). 

OS  X  is  not  going  to  be  vulnera¬ 
bility-free,  but  I  do  expect  it  to 
show  significantly  fewer  vulnera¬ 
bilities  than  Windows  has.  That 
does  not  mean  OS  X  users  can 
ignore  security  —  at  the  very 
least,  enable  the  built-in  personal 
firewall  —  but  it  does  mean  you 
should  not  stay  with  Wndows 
because  you  think  it  will  be  safer. 

Disclaimer:  Harvard  is  not  twit- 
free,  but  you  should  not  draw  any 
conclusions  about  the  quality  of 
the  school’s  education  from  that 
factoid.  In  any  case,  the  above 
Apple  review  is  mine,  not  the  uni¬ 
versity’s. 

Bradner  is  a  consultant  with 
Harvard  University's  University 
Information  Systems.  He  can  be 
reached  at  sob@sobco.com. 


Company  to  push  wikis  for  corporate  collaboration 


Wiki  tool 


CustomerVision  this  week  plans  to  unveil  BizWiki,  a  corporate,  real-time 
collaboration  tool  that  has  access  control  and  workflow  capabilities. 
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Users  can  ask  questions 
of  subject  matter  experts 
and  route  them  using  the 
BizWiki  workflow  engine. 
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On  the  experts  page,  specific 
experts  can  be  listed  with  links 
to  blogs,  biographical  information 
or  a  library  of  content  that  person 
has  created. 
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BY  JOHN  FONTANA 

CustomerVision  this  week  is  set  to  unveil 
itself  and  BizWiki,  a  Web-based  application 
for  hosted,  real-time  collaboration  that  has 
access  controls  and  workflow  routing 
designed  for  corporate  users. 

CustomerVision  is  capitalizing  on  the 
growing  popularity  of  social  networking 
tools  by  adapting  them  for  use  by  corpora¬ 
tions.  The  company  is  led  by  CEO  Cindy 
Rockwell,  who  came  from  the  financial  ser¬ 


Search 

continued  from  page  29 

evaluation  of  the  tools.  Holbert  has  a  few 
requirements  for  desktop  search  he’d 
research  for  an  enterprisewide  rollout.  For 
instance,  he  says  desktop  search  tools 
would  need  “Active  Directory  integration 
for  group  rights  management,  policy  set¬ 
ting  and  administration”  as  well  as  integra¬ 
tion  with  products  that  support  an  Open 
Security  Framework  for  local  and  network 
firewalls, VPN  and  Internet  filters. 

“To  manage  the  environment  and  the 
introduction  of  new  software,  we  have  a 
process  whereby  we  research  and  evalu¬ 
ate  new  products  for  compatibility  with 
existing  enterprise  products  and  ser¬ 
vices,"  Holbert  says. 

“This  would  include  plans  for  who 
would  need  the  new  software  and  how 
we  would  install  and  maintain  the  soft¬ 
ware,”  Holbert  adds.B 


vices  industry  and  holds  a  CRM-related 
patent.The  company  has  30,000  customers. 

A  wiki  is  a  Web  site  that  can  be  edited  by 
anyone,  a  feature  that  in  a  corporate  setting 
typically  is  controlled  with  access  rights. 
Wikis  are  deployed  in  workgroups,  depart¬ 
ments  or  across  an  entire  company 

As  social  networking  tools  take  off  for 
consumers,  vendors  are  adapting  the  tech¬ 
nology  for  corporate  use.  IBM  and  Micro¬ 
soft  are  introducing  software  for  wikis,  RSS 
and  Atom  automated-feed  technology  and 
blogging  tools.  CustomerVision  says  it  com¬ 
petes  most  directly  with  Socialtext,  but  oth¬ 
ers  such  as  Splunk  and  JotSpot  are  also  test¬ 
ing  the  corporate  waters. 

To  meet  corporate  requirements,  BizWiki 
supports  control  features  integrated  with 
corporate  directories  based  on  Lightweight 
Directory  Access  Protocol.  Permission  to 
view,  collaborate  on  or  update  content  can 
be  assigned  based  on  users,  groups,  depart¬ 
ments  or  globally  In  addition,  the  platform 
has  security  and  compliance  features  and 
content  management  controls. 

BizWiki  also  has  a  broadcast  feature  for 
finding  experts  to  answer  questions,  revi¬ 
sion  and  rollback  capabilities,  and  integra¬ 
tion  with  other  social  networking  tools 
such  as  RSS  feeds  and  blogs,  as  well  as  tra¬ 
ditional  email. 

“We  are  an  extremely  technology-centric 
organization,” says  Steve  Ollenburg.CEO  at 
MWABank  in  Rock  Island,  Ill.  The  bank, 
which  is  run  by  a  fraternal  financial  ser¬ 
vices  organization  called  the  Modern 


Woodmen  of  America,  conducts  business 
almost  solely  via  the  Internet,  email,  tele 
phone  and  other  electronic  means,  and 
has  only  one  brick-and-mortar  location,  in 
Rock  Island. 

Ollenburg  says  given  the  way  the  bank  is 
run,  quick  adoption  is  key.  The  bank  uses 


BizWiki  on  its  Web  site  so  customers  can 
ask  questions. 

BizWiki  is  offered  as  softwareas-a-service, 
but  users  also  can  deploy  it  in  their  own 
network.  The  price  per  month  ranges  from 
$100  to  $5,000, depending  on  the  size  of  the 
company  ■ 
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IS  YOUR  DATA'S  VULNERABILITY  KEEPING  YOU  UP  AT  NIGHT? 
IF  IT  ISN'T  SECURED  INSIDE  THE  PERIMETER,  IT  SHOULD. 


If  your  data  could  talk,  you'd  get  an  earful.  It  would  tell  you  that  its  value  on  the  open  market  has  sky-rocketed.  And  a  data 
breach  inside  the  perimeter  might  be  just  around  the  corner.  If  it  happens,  it  could  cost  millions.  Not  to  mention  reputations. 
That's  why  there’s  EpiForce™  from  Apani  Networks™.  It's  built  from  the  ground  up  to  secure  data  inside  the  perimeter. 
No  matter  what  platforms  you  use.  That's  good  news  for  your  enterprise.  And  a  good  night's  sleep  for  you. 

To  learn  more  about  securing  inside  the  network  perimeter,  get  a  free  copy  of  "The  Definitive  Guide  to  Security  Inside 
the  Perimeter"  from  kealtimepublishers,  sponsored  by  Apani  Networks.  Go  to  www.apani.com/nwguide 
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EYE  ON  THE  CARRIER 

Johna  Till  Johnson 


You  may  have  heard  about  the  lawsuit 
that  the  Electronic  Frontier  Foundation  is 
filing  against  AT&T  for  cooperating  with  the 
feds  to  wiretap  its  network.  Apparently  AT&T 
has  instrumented  its  network  so  that  the 
feds  can  potentially  monitor  all  traffic  that 
flows  across  it. 

In  the  immortal  words  of  Captain  Renault, 
I’m  shocked,  shocked,  to  find  a  carrier  . . . 
obeying  the  law. 

That’s  right:  Not  only  is  AT&T  tapping  its 
network  on  behalf  of  the  feds,  so  are 
Verizon,  Sprint,  Qwest,  BellSouth  and  all  the 
rest.  They’d  be  in  violation  of  federal  law  if 
they  weren’t. 

Remember  the  Communications  Assist¬ 
ance  for  Law  Enforcement  Act  (CALEA)? 
Passed  in  1994,  CALEA  requires  carriers  to 
embed  wiretapping  capabilities  into  the 
fabric  of  their  network  infrastructure.  (For 
details  on  what  CALEA  requires,  check  out 
www.fcc.gov/calea  and  www.askcalea.net). 
All  the  carriers  have  had  to  be  CALEA- 
compliant  for  years. 

Whistle-blower  Mark  Klein,  an  AT&T  tech¬ 
nician  who  provided  documents  to  the  EFE 
says  a  device  was  installed  in  AT&T’s  net¬ 
work  with  the  “ability  to  sift  through  large 
amounts  of  data  looking  for  prepro¬ 
grammed  targets.” 

Err  —  that’s  exactly  what  CALEA  requires. 


Short  Takes 

RBKfln  mtmsm 


■  Alltel  recently  announced  a  service 
called  My  Circle,  which  lets  wireless 
users  make  tree  calls  to  as  many  as 
10  numbers.  Most  wireless  providers 
offer  customers  free  calls  to  other 
subscribers  on  their  network.  Alltel’s 
offering  lets  customers  call  landline 
or  wireless  numbers  on  any  carrier's 
network  for  free.  The  list  of  as  many 
as  10  phone  numbers  can  be  changed 
at  any  time.  With  15  million  customers 
in  36  states,  Alltel  is  the  fifth  largest 
wireless  service  provider  after 
Cingular  Wireless,  Verizon  Wireless, 
Sprint  Nextel  andT-Mobile. 


Wiretapping  the  WAN:  It's  the  law 


Specifically  CALEA  requires  carriers  to  be 
able  to,  upon  request  by  law  enforcement, 
intercept  call-identifying  information,  de¬ 
fined  in  section  102(2)  as  “information  that 
identifies  the  origin,  direction,  destination 
or  termination  of  each  communication 
generated  or  received  by  a  subscriber’  In 
the  packet-switched  world,  obtaining  that 
information  may  require  scanning  hun¬ 
dreds  of  millions  of  traffic  flows  from  mil¬ 
lions  of  endpoints. 

This  poses  a  rather  Zen  conundrum:  To 
figure  out  which  traffic  to  monitor, you  have 
to  monitor  some  traffic. 

Now,  there’s  an  open  question  as  to 
whether  the  feds  —  the  National  Security 
Agency  in  particular  —  have  the  right  to 


make  such  a  request  of  any  carrier,  particu¬ 
larly  without  a  warrant.  So  you  can  see  why 
the  feds  are  keeping  mum  about  the  whole  ■ 
issue:  Not  only  does  the  NSA  have  no  com¬ 
ment  on  the  EFF  lawsuit,  the  Department  of 
Justice  recently  declined  repeated  requests 
by  Congress  to  disclose  wiretapping  details, 
on  the  grounds  that  such  information  is 
“classified  and  sensitive.” 

I  have  no  idea  whether  the  feds  acted 
legally  in  making  their  requests.  I’m  not  a 
lawyer,  and  I  don’t  play  one  on  TV  For  what 
it’s  worth,  I’ve  never  been  much  of  a  CALEA 
fan,  either:  Yes,  law  enforcement  agents 
need  the  tools  to  do  their  jobs,  but  building 
networks  that  are  inherently  “tappable” 
seems  to  me  to  be  fundamentally  bad  secu¬ 


rity  design, because  anything  the  good  guys 
can  do,  the  bad  guys  can  do,  too. 

But  that’s  all  irrelevant  given  that  CALEAs 
the  law  of  the  land,  and  has  been  so  for 
years.  Even  if  you  think  it’s  a  lousy  law  and 
the  feds  are  way  out  of  bounds  to  request 
wiretapping,  that’s  immaterial.  The  carriers 
are  obliged  to  comply,  unless  the  courts  tell 
them  otherwise. 

Bottom  line:  If  you  have  issues  with  wire¬ 
tapping,  don’t  go  after  the  carriers.  Go  after 
the  folks  who  required  it  in  the  first  place. 

Johnson  is  president  and  senior  founding 
partner  at  Nemertes  Research,  an  indepen¬ 
dent  technology  research  firm.  She  can  be 
reached  at  johna@nemertes.com. 


X0  launches’  a  familiar  name 

Nextlink  re-emerges  as  subsidiary  to  focus  on  fixed  wireless. 


**This  is  the  right  time  and  right 
place  for  fixed  wireless. W 


Tom  Cady,  president,  Nextlink 


BY  JIM  DUFFY 

XO  Holdings  last  week  “launched”  a 
wireless  company  —  one  that  bore  it  six 
years  ago. 

The  competitive  local  exchange  carrier 
(CLEC)  reintroduced  Nextlink  to  the  indus¬ 
try  as  a  provider  of  fixed  broadband  wire¬ 
less  services  to  businesses,  government 
agencies  and  other  service  providers.  In 
2000,  CLECs  Nextlink  and  Concentric 
merged  to  form  XO. 

Nextlink  utilizes  licensed  Local  Multipoint 
Distribution  Service  (LMDS)  wireless  spec¬ 
trum  covering  75  metropolitan  markets 
across  the  country  The  service  will  be  mar¬ 
keted  as  an  alternative  to  conventional 
broadband  services  delivered  over  copper 
and  where  fiber  is  unavailable  or  too  costly 
says  Tom  Cady  Nextlink’s  president. 

“Fiber  is  just  not  always  available,  or  is 
cost-prohibitive  at  times  and  takes  time  to 
deploy’ Cady  says. 

He  contends  that  Nextlink  is  the  largest 
holder  of  fixed  wireless  spectrum  in  the 
country  With  this  asset,  Nextlink  will  be  tar¬ 
geting  “middle  mile”  applications  such  as 
wireless  backhaul  and  wireless  metropoli¬ 
tan  Ethernet. 

Cady  says  backhaul  is  a  $2  billion  market 
that  will  more  than  triple  by  2010.  Wireless 
metropolitan  Ethernet,  which  is  less  than  a 
$1  billion  market,  is  expected  to  double 
through  2009,  he  says. 

Nextlink’s  services,  offered  in  the  28GHz 


to  31  GHz  range,  are  for  locations  up  to 
7  miles  from  and  in  line-of-sight  of  a 
Nextlink  wireless  hub.  Speeds  range  from 
1.544Mbps  T-l  up  to  622Mbps  OC-12  in 
point-to-point  or  point-to-multipoint  config¬ 
urations.  Nextlink  says  service  reliability  is 
up  to  99.999%. 

Wireless  T-l  will  be  aimed  at  cellular  back¬ 
haul,  while  wireless  metropolitan  Ethernet 
will  be  offered  to  support  more  bandwidth¬ 
intensive  mobility  applications  and  con¬ 
tent,  videoconferencing,  distance  learning 
and  IP  telephony 

Nextlink  also  will  offer  a  wireless  dedi¬ 
cated  Internet  access  service  for  businesses 
or  government  organizations  in  locations 
that  lack  direct  fiber  connectivity 

Although  XO  has  had  the  LMDS  spec¬ 
trum  for  several  years,  fixed  broadband 
wireless  has  never  enjoyed  significant 
success  in  the  marketplace.  Emerging 
operators  Winstar,  Teligent  and  Metricom 
went  bankrupt  early  this  decade,  while  at 
the  same  time  AT&T  Wireless  closed  its 


operations,  Sprint  scaled  back  its  fixed 
wireless  plans,  and  MQI  sold  off  its  fixed 
wireless  assets  to  Nextel. 

But  Cady  says  now  is  the  “right  time  and 
right  place  for  fixed  wireless,”  with  next- 
generation  convergence  and  mobility 
applications,  content  and  broadband 
access  alternatives  coming  into  vogue. 

Analysts  agree. 

“The  timing  is  much  different,  and  that’s 
very  important,”  says  Josh  Holbrook  of  the 
Yankee  Group.  “That  technology  right  now 
is  hot.  In  this  game  timing  is  everything.  It’s 
like  surfing:  If  you’re  behind  the  wave  you 
don’t  get  to  ride  it;  if  you’re  in  front  of  it,  it 
crashes  on  top  of  you;  but  if  you  get  it  just 
right, you  can  ride  the  wave.” 

Nextlink’s  challenge  will  be  getting 
enterprises  to  accept  wireless  as  a  reli¬ 
able,  carrier-grade  access  technology, 
Holbrook  says. 

Nextlink  is  launching  service  in  Dallas, 
Los  Angeles,  Miami, San  Diego, Tampa  and 

See  Nextlink,  page  34 
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“Canobeam  sets  up 
at  a  moments  notice 
or  connectivity  on  the  fly. 

Bob  Shafto.  Senior  Communications  Manager 
Internationa!  Speedway  Corporation 


AutoTracking  Built-in  to  All  Models 
GigE  Speed  and  Affordability 
Connects  With  More  Users. 


EfCanobeam  stayed  1 
on  the  air  throughout 

the  (Florida)  storms. 
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Tom  Bennett.  Technical  Co-Principal, 
.Omnispring 


“Canobeam  is  doing 
exactly  what  they  said  it 
would  on  an  optimal  level. 

John  Kratochvil,  Director  of  IT 
Edmonton  Economic  Development  Corporation 


►  Data  speeds  from  ►  Data  speeds  from  ►  Data  speed  at  1.25Gbps 
25Mbps  to  156Mbps  25Mbps  to  156Mbps  for  Gigabit  Ethernet 

►  Data  transmission  ►  Data  transmission  ►  Data  transmission 
from  20m  to  500m  from  100m  to  2km  from  100m  to  1000m 


More  and  more  users  are  discovering  the  benefits  of 
Canobeam  FSO  wireless  transmission  for  primary  or 
redundant  applications.  They  include  a  broad  base  of 
users  from  commercial  Internet  providers  maintaining 
the  integrity  of  their  networks,  to  office  campuses 
where  installing  fiber  between  buildings  is  cost- 


See  us  at  Interop  Booth  #1767 


Find  out  more  at  canobeam.com 


prohibitive,  to  race  tracks  where  fast  data  access 
needs  can’t  be  met  with  traditional  fiber  installations. 
In  those  applications  and  many  more,  Canobeam 
DT-100  Series  units  feature  the  speed,  dependability 
and  AutoTracking  requirements  that  provide  the 
perfect  solution  for  more  and  more  users. 

Canon 
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1-800-321-4388  (Canada:  905-795-2012) 
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internet's  network  to  get  a  face-lift 


BY  DENISE  PAPPALARDO 

internet’s  network  is  growing 
up. That  was  one  of  the  key  topics 
discussed  last  week  at  the  groups 
Spring  Member  Meeting  in 
Arlington, Va. 


The  research  group  is  phasing 
out  its  Abilene  network  after 
about  seven  years  of  service  and 
replacing  it  with  a  big  backbone 
that  will  support  10  lOGbps  lamb¬ 
das,  says  Douglas  Van  Houweling, 


president  and  CEO  of  Internet2. 

Internet2  is  a  consortium  of  201 
universities  that  works  with  gov¬ 
ernment  and  the  IT  industry  to 
develop  and  deploy  advanced 
network  applications  and  tech¬ 


nologies  with  the  goal  of  acceler¬ 
ating  development  of  the  Internet. 

In  early  April,  Internet2  told  its 
members  that  it  would  not 
renew  its  contract  with  Qwest 
Communications,  the  prime  net¬ 


work  provider  of  its  Abilene  net¬ 
work.  At  the  same  time,  Internet2 
said  it  has  a  “nonbinding"  con¬ 
tract  with  another  carrier  to  sup¬ 
port  the  groups  next-generation 
network  needs.  Because  Inter- 
net2  is  a  member  organization, 
all  contracts  have  to  be  ap¬ 
proved  by  members.  Once  that 
happens  the  name  of  the  new 
service  provider  will  be  re¬ 
vealed,  the  group  says. 

The  new  network  will  even¬ 
tually  scale  to  80  lOGbps  lamb¬ 
das,  Van  Houweling  says. 

The  additional  bandwidth  is 
needed  to  support  high-speed  ex¬ 
periments  already  being  con¬ 
ducted.  Van  Houweling  says 
Internet2  members  are  running 
an  experiment  that  uses  7Gbps, 
but  Abilene  can  support  only  one 
such  experiment  at  a  time. 

The  research  group  is  working 
out  details  such  as  what  type  of 
service-level  agreements  (SLAs) 
will  be  offered  to  Internet2  users. 
Today  no  SLAs  are  offered. 

The  new  network  also  will 
include  self-provisioning  support, 
so  universities  about  to  launch  an 
experiment  will  only  need  to  go 
to  a  Web  site  to  get  additional 
bandwidth. 

All  Internet2  members  are 
expected  to  be  transitioned  off  of 
Abilene  by  September  2007.  ■ 


Nextlink 

continued  from  page  32 

Washington,  D.C.,  with  additional 
market  launches  planned  over 
the  next  two  years.  Nextlink  is  pro¬ 
viding  broadband  wireless  ser¬ 
vices  to  a  major  national  wireless 
carrier,  delivering  wireless  back¬ 
haul  and  network  redundancy 
and  diversity  services  across  mar¬ 
kets  in  south  Florida.  Cady  would 
not  identify  that  carrier. 

Nextlink  also  will  offer  hybrid 
wireless/wireline  services  in  con¬ 
junction  with  XO,  which  says 
fixed  wireless  will  enable  it  to 
expand  the  reach  of  its  network 
and  help  reduce  the  costs  of 
local  network  access  in  serving 
enterprise  customers. 

Nextlink  will  compete  with 
incumbent  LECs  offering  fiber  or 
bonded  DSL  loops  providing 
tens  of  megabits  of  bandwidth. 
Emerging  operators  also  are 
offering  broadband  fixed  wire¬ 
less  access,  Cady  says.  ■ 


Leviton  makes  it  easy 

Easy  to  terminate.  Easy  to  understand.  Easy  to  install  in  minimal  time. 

Leviton's  FastCAM™  pre-stubbed,  factory-polished  connectors  provide  precision 
mechanical  termination  of  single-mode  or  multimode  fiber.  No  special  tools, 
no  epoxy,  and  no  time-consuming  hand  polishing  required,  so  installation  takes 
just  minutes. 

When  you  need  fast,  low  insertion-loss  fiber  termination,  Leviton  FastCAM 
connectors  make  it  easy.  Call  1.800.922.6229  or  visit  levitonvoicedata.com. 


FASTCAM  FIBER  CONNECTORS  | 

Pre-Terminated  /  Factory  Polished 

No  Special  Tools,  No  Epoxy 

Compatible  with  10Gb  optical  networks 

No  Time-Consuming  Hand  Polishing 

250pm  /  900pm,  SM  /  MM,  ST  /SC 

Minimal  Training  Required 

mg  cl  Connocted  World 


levitonvoicedata.com  ::  800.922.6229  ::  FAX  425.483.5270 

ISO  9001:2000  registered  quality  manufacturer  ::  ©  2006  Leviton  Manufacturing  Co.,  Inc 
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Their  Solution 


Nothing  stacks  up 
to  the  performance  of 
an  Array  SSL  VPN. 


Array  SPX 


How  can  one  Array  SSL  VPN  deliver  more  performance  and  capacity  than  a  stack  of  theirs? 

Simple.  We  purpose-build  our  secure  remote  access  systems  from  the  ground  up;  so  critical  files 
download  in  no  time  flat,  and  time-sensitive  transactions  occur  instantly.  Hardware,  management, 
and  support  costs  decrease  dramatically,  but  that's  a  given.  Only  Array  offers  true  on-demand  scalability,  the  power  to  cope  with 
seasonal  and  emergency  usage  on  the  fly  -  when  your  business  and  reputation  are  at  stake.  Large  or  small,  find  out  how  the 
power  of  Array  performance  can  get  your  organization  to  the  finish  line  first;  call  1-866-MY-ARRAY  or  visit  www.arraynetworks.net. 
No  matter  how  your  stack  it,  Array  is  the  performance  leader  in  SSL  VPN. 


Access.  Security.  Performance. 


INTEROP 


See  us  at  booth  #613 
May  2-4th 
Las  Vegas,  NV 


@2006  Array  Networks,  Inc.  All  rights  reserved.  Array  Networks  and  the  Array  logo  are  trademarks  of  Array  Networks,  Inc.  all  other  trademarks  belong  to  their  respective  owners 


LEAST  PRIVILEGE  COMPLIANCE 

-  IS  NOW  IN  YOUR  HANDS  - 


In  today’s  corporate  environment,  it’s  not  an  option.  DesktopStandard’s  Group  Policy  extensions 
take  you  beyond  built-in  Windows  security  management,  giving  you  the  power  to  limit  rights  and  privileges  to 
the  least  required  for  authorized  tasks.  Reduce  the  complexity  of  managing  your  distributed  desktop  environ¬ 
ment  while  increasing  security  and  compliance.  Find  out  how  at  www.desktopstandard.com. 


SECURITY 


desktopstandard" 


©  2005  DesktopStandard  Corporation.  All  rights  reserved. 


manage  with  standards. 
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TECHHOIjDCY  UPDATE 

AN  INSIDE  LOOK  AT  TECHNOLOGIES  AND  STANDARDS 


Secure  SIP  protects  VoIP  traffic 


HOW  IT  WORKS:  Secure  SIP 

Secure  SIP  is  a  security  mechanism  for  sending  SIP  messages  over  aTransport 
Layer  Security  (TLS)-encrypted  channel. 


Q  SIP  User  Agent  1  (UA1)  desires  to  communicate  with  UA2.  UA1  initiates  a  TLS  secured  session  with  SIP 
Proxy  1,  containing  a  SIP  session  invitation  for  UA2. 

B  SIP  Session  Proxy  1  forwards  the  session  invitation  to  SIP  Session  Proxy  2  using  an  encrypted  TLS  or 
IPsec  mechanism, 

B  UA1  and  SIP  Session  Proxy  2  authenticate  via  TLS. 

Q  With  UA1  now  authenticated  via  TLS  with  SIP  Session  Proxy  1  and  SIP  Session  Proxy  2,  the  session 
invitation  is  forwarded  to  UA2.  The  session  between  UA1  and  UA2  can  be  established. 


BY  MICHAEL  WARD 

Session  Initiation  Protocol  has  become 
the  call  control  protocol  of  choice  for  VoIP 
networks  because  of  its  open  and  extensi¬ 
ble  nature.  However,  the  integrity  of  call 
signaling  between  sites  is  of  utmost  impor¬ 
tance,  and  SIP  is  vulnerable  to  attackers 
when  left  unprotected. 

Secure  SIP  is  a  security  mechanism 
defined  by  SIP  RFC  3261  for  sending  SIP 
messages  over  a  Transport  Layer  Security- 
encrypted  channel.  Originally  used  for 
securing  HTTP  sessions, TLS  can  be  repur¬ 
posed  to  protect  SIP  session  communica¬ 
tions  from  eavesdropping  or  tampering.  By 
deploying  SIP-based  devices  that  support 
Secure  SIP  network  administrators  benefit 
from  these  increased  levels  of  security  for 
their  VoIP  networks. 

Thwarting  threats 

Companies  are  concerned  about  mali¬ 
cious  parties  eavesdropping  on  SIP  signal¬ 
ing  information,  performing  man-in-the- 
middle  attacks  that  disrupt  service  or  gain¬ 
ing  unauthorized  access  to  VoIP  networks. 

RFC  3261  defines  mechanisms  for  pro¬ 
viding  increased  security  for  a  SIP  session. 
The  most  basic  level  of  security  required 
to  be  implemented  by  all  SIP  user  agents 
and  SIP  proxy  servers,  is  Message  Digest 
(MD5)  authentication.  This  provides  a 
basic  level  of  authentication  challenge 
between  a  SIP  proxy  server  and  SIP  user 
agent.  At  the  other  end  of  the  spectrum, 
Secure  Multipurpose  Internet  Mail  Exten¬ 
sions  (S/MIME)  can  be  implemented  to 
encrypt  data  directly  within  SIP  messages. 
SIP  support  for  S/MIME  has  not  been  as 
widely  deployed  as  HTTP  because  of  the 


required  public-key  infrastructure  support 
and  the  added  complexity  of  managing 
the  security  certificates.  Secure  SIR  run¬ 
ning  SIP  over  TLS  on  a  hop-by-hop  basis, 
provides  a  more  comprehensive  level  of 
security  than  that  of  basic  MD5  authenti¬ 
cation,  without  the  additional  overhead 
imposed  by  S/MIME. 

One  key  difference  between  the  SIP  and 
HTTP  protocols  is  that  a  SIP  request  may 
travel  across  several  hops  before  reaching 


its  destination.  Running  SIP  over  TLS  can 
provide  secure  connections  on  a  hop-by¬ 
hop  basis.  For  Secure  SIP  communica¬ 
tions,  RFC  3261  defines  the  SIPS  Uniform 
Resource  Identifier  (URI),  used  as  HTTPS 
is  used  for  secure  HTTP  connections.  The 
SIPS  URI  ensures  that  SIP  over  TLS  is  used 
between  each  pair  of  hops  to  validate  and 
secure  the  connection,  and  provide  a 
secure  endpoint-to-endpoint  connection. 

In  a  Secure  SIP  session,  the  SIP  user 


agent  client  contacts  the  SIP  proxy  server 
requesting  a  TLS  session.  This  SIP  proxy 
server  responds  with  a  public  certificate 
and  the  SIP  user  agent  then  validates  the 
certificate.  Next,  the  SIP  user  agent  and  the 
SIP  proxy  server  exchange  session  keys  to 
encrypt  or  decrypt  data  for  a  given  ses¬ 
sion.  From  this  point,  the  SIP  proxy  server 
contacts  the  next  hop  and  similarly  nego¬ 
tiates  a  TLS  session,  ensuring  that  SIP  over 
TLS  is  used  end-to-end. 

One  might  ask  why  a  security  protocol 
such  as  IPsec  is  not  used  for  a  direct, 
secure,  end-to-end  connection  between 
SIP  endpoints.  Because  IPsec  encrypts 
data  end-to-end,  the  SIP  proxy  servers 
between  the  SIP  endpoints  would  not  be 
able  to  interpret  and  modify  required 
information  in  the  SIP  messages.  TLS  is  a 
lighter-weight  and  more  easily  managed 
protocol  than  IPsec,  and  thus  more  appro¬ 
priate  for  SIP-based  VoIP  endpoints,  which 
are  often  processing  and  resource  con- 
strained.The  security  mechanism  between 
SIP  proxy  servers  within  a  network  may 
use  TLS,  IPsec  or  other  security  mecha¬ 
nisms,  as  long  as  the  information  is 
decrypted  at  each  hop. 

Secure  SIP  is  an  optional  item  for  SIP 
user  agents,  but  more  SIP-based  VoIP  end¬ 
points  provide  it.VoIP  network  administra¬ 
tors  should  take  a  look  at  implementing 
this  technology  within  their  SIP-based  net¬ 
works  to  gain  from  the  added  level  of 
security  that  Secure  SIP  can  provide. 

Ward  is  director  of  product  line  man¬ 
agement  at  Trinity  Convergence.  He  can 
be  reached  at  mward@trinityconver 
gence.  com. 


Ask  Dn  Internet 


By  Steve  Blass 


Can  I  build  an  IP  network  that  connects  a 
Windows  XP  machine  to  a  Mac  OS  X  machine 
using  a  FireWire  (IEEE  1394)  connection? 

Yes,  because  the  most  recent  versions  of  Mac  OS 
X  and  Windows  XP  support  TCP/IP  networking  via 
FireWire  connections.  Simply  establish  a  physical 
connection,  then  configure  the  FireWire  ports  on 
each  computer  with  an  IP  address.  On  a  Macintosh, 
open  the  System  Preferences  applet  and  double-click 
on  the  Network  icon.  Double-click  on  the  Built-in 


FireWire  entry  in  the  interface  list.  On  the  Built-in 
FireWire  screen,  change  the  Configure  IPv4  setting 
to  Manually.  Enter  the  IP  address  you  want  to  use, 
then  click  on  Apply  Now.  When  you  return  to  the 
Network  Status  screen,  you  should  see  that  the 
Built-in  FireWire  port  is  active  and  has  the  IP  address 
you  just  assigned. 

On  a  Windows  machine,  open  the  Network  Con¬ 
nections  applet  in  the  Control  Panel,  double-click  on 
the  icon  labeled  1394  Connection  and  click  on  the 
Properties  button  in  the  pop-up  dialog  box.  Choose 


the  Internet' Protocol  (TCP/IP)  entry  and  click 
Properties.  Enter  the  IP  address  you  want  to  use.  Do 
not  enter  an  address  for  the  default  gateway  on  the 
Windows  FireWire  port,  or  your  Ethernet  connection 
will  try  to  use  that  gateway.  After  saving  your  set¬ 
tings  you  will  have  a  point-to-pointTCP/IP  network 
connection  over  the  FireWire  cable  connecting  the 
two  machines. 

Blass,  a  network  architect  at  Change@Work,  can  be 
reached  at  dr.internet@changeatwork.com. 
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GEARHEAD 

INSIDE  THE 
NETWORK 
MACHINE 


A  PDF  reader,  more  portable  apps 


First  up  this  week,  a  neat  freebie:  a 
lightweight  PDF  viewer  for  Windows 
95,  98,  NT,  2000,  XP  and  2003 
called  Foxit  Reader  (www.nw 
docfinder.com/3231)  published  by 
Foxit  Software. 

Foxit  Reader  is  much  faster  than 
Adobe  Reader  (www.nwdocfinder 
.com/3233)  and  much  smaller  as  a 
download  (1MB,  compared  with 
almost  28MB)  and  as  an  installed 
Mark  Gibbs  program  (just  under  3MB,  com¬ 
pared  with  90MB). 

Although  Foxit  works  as  well  as  Adobe  Reader  for  view¬ 
ing  documents,  it  isn’t  quite  on  par  when  it  comes  to  fill¬ 
ing  out  forms.  Foxit  Reader  doesn’t  detect  the  position  of 
the  pre-defined  data  entry  fields, so  you  wind  up  entering 
data, then  dragging  it  to  the  right  location  on  the  form.  Not 
a  biggie  in  terms  of  cons,  given  that  Foxit  Reader’s 
performance  is  such  a  big  pro. 

Foxit  also  offers  a  PDF  editor,  Foxit  Editor  (www.nwdoc 
finder.com/3234)  that  is,  as  far  as  we  know  and  as  Foxit 
claims, “the  first  real  editor  for  PDF  files.” 

We  were  excited  by  this,  as  we  had  recently  filled  out 
forms  for  the  Department  of  Motor  Vehicles  to  register  a 
car  but  found  we  were  not  allowed  to  save  the  form  data, 
which  was  very  annoying.  Unfortunately,  as  with  Acrobat 
Reader,  the  Foxit  Editor  respects  all  restrictions  the 
author  has  set.  Rats. 


Our  second  topic  for  this  week  is  a  return  to  flash  drive 
based  portable  applications,  which  we  recently  spent  three 
weeks  discussing  as  we  examined  U3  USB  flash  drive  tech¬ 
nology  (www.nwdocfinder.com/3230). 

The  downside  of  U3  technology,  other  than  I/O  perform¬ 
ance  (a  limitation  U3  has  in  common  with  all  systems  that 
use  USB  flash  drives),  is  that  it  requires  U3  hardware, 
which  increases  the  drive’s  price  by  20%  to  40%.  We 

Foxit  Reader  is  much  faster 
than  Adobe  Reader. 

expect  the  premium  pricing  won’t  last,  simply  because 
the  potential  of  portable  Windows  applications  is  starting 
to  generate  competition. 

One  competitor  is  a  new  player  in  this  market:  Ceedo. 

Ceedo  doesn’t  require  special  USB  flash  drive  hardware 
and  takes  up  just  3MB  of  storage.  Installation  is  simple:  You 
run  the  Ceedo  installer  under  Windows  with  a  USB  flash 
drive  inserted  in  a  USB  port,  and  the  Ceedo  software  is 
installed  on  the  flash  drive. 

The  Ceedo  installer  “fingerprints”  the  drive  and  generates 
a  license  for  that  drive  to  prevent  unauthorized  use  on  mul¬ 
tiple  drives.  Once  installed,  Ceedo  can  be  configured  to 
launch  when  Windows  starts. 

The  first  Ceedo  interface  you  see  is  a  control  bar  with 
buttons  to  minimize  the  bar  to  the  system  tray,  show  the 
menu  and  exit.This  bar  is  stuck  to  the  bottom  edge  of  the 


display  and  can  slide  left  and  right  only. 

When  you  invoke  the  menu  you  get  a  presentation  that 
looks  like  the  Windows  Start  menu,  with  entries  for  the 
folders  My  Documents,  My  Pictures  and  My  Music,  which 
are  all  on  the  flash  drive.  Applications  that  exist  on  your 
PC,  such  as  Internet  Explorer  and  Outlook  Express,  are 
automatically  added  to  the  application  menu. 

Clicking  on  the  Add  Programs  icon  launches  a  separate 
window  to  Ceedo’s  applications  download  site,  which 
offers  a  tremendous  number  of  Ceedo-compatible  titles 
(although  some  are  a  point  release  behind  the  regular 
Windows  version).  Interestingly  Foxit  Reader  also  is  avail¬ 
able  as  a  Ceedo  application. 

As  far  as  we  can  determine,  Ceedo  does  a  pretty  thorough 
job  of  cleaning  up  when  the  drive  is  ejected, but  the  overall 
performance  is  a  little  slower  than  we’d  like,  and  it  seems 
occasionally  to  peg  processor  utilization  at  100%. 

We’re  still  testing  the  Ceedo  system,  but  so  far  it  looks  like 
a  good  contender  in  the  mobile  application  platform  mar¬ 
ket.  Ceedo  comes  in  two  versions:  Ceedo  Starter  for  OEM 
distribution  and  Ceedo  Personal,  priced  at  $40. 

Are  you  going  for  portable  apps?  Tell  us  on  Gibbsblog  or  at 
gearhead@gibbs.  com. 

If  you  wrote  in  requesting  the  Gearhead  Windows  screen¬ 
saver  we  mentioned  a  few  weeks  ago,  our  apologies.  We’re 
waiting  for  the  next  release  of  WildPresenter,  which  is  due  out 
any  day  now.  You  ’ll  be  hearing  from  us  as  soon  as  we  get  our 
hands  on  it. 


I’m  still  buried  in  e-mail  after  some  recent  travel,  so  we’re  going 
to  have  to  dig  into  the  gadget  news  bag  to  highlight  some  recent 
device  announcements: 


Apple's  17-inch  MacBook  5x  faster  than  PowerBook  G4 

Macheads.get  your  drool  on. Apple  last  week  unveiled  its  17-inch  MacBook  Pro 
notebook,  which  includes  a  2.16GHz  Intel  Core  Duo  processor  and  a  new  sys¬ 
tem  architecture  that  Apple  says  will  deliver  as  much  as  five  times  the  perform¬ 
ance  of  its  PowerBook  G4  notebook.  The  1-inch-thick  unit  weighs  only 
6.8  pounds  and  includes  a  built-in  iSight  videocamera  and  Front  Row  media 
software.The  notebook  is  expected  to  be  available  this  week  at  Apple’s  Web  site, 
retail  stores  and  other  resellers. 

The  following  configuration  will  cost 
about  $2,800,  Apple  says:  a  17-inch 
widescreen  1,680-by-l, 050-pixel  dis¬ 
play  with  300  nits  of  brightness,  the 
2.16GHz  Intel  Core  Duo  processor, 
1GB  of  DDR2  SDRAM  (upgradeable  to 
2GB),  a  120GB  hard  drive,  slot-loaded 
8x  SuperDrive  (DVD+R  Dual 
Layer  /DVD+/-RW/CD-RW) ,  ATI 

2  Mobility  Radio  X1600  graphics 
card  with  256MB  of  memory, 
Digital  Video  Interactive  (DV1) 
out  port,  built-in  Dual  Link  sup- 
poit  for  Apple’s  30-inch  Cinema  HD  display,  Gigabit  Ethernet  port,  built-in  AirRort 

•  .  i.<  me  wnuless  networking  and  Bluetooth  2.0,  three  USB  2.0  ports,  one  FireWire 


The  17-inch  MacBook  Pro  includes  a  built-in  iSight 

earners  for  yidao  chat 


800  port,  and  one  FireWire  400  port,  among  other  features.  The  notebook  comes 
with  Apple’s  new  MagSafe  Power  Adapter,  which  magnetically  couples  the  power 
cord  to  the  MacBook  Pro.  The  adapter  safely  disconnects  from  the  notebook 
whenever  strain  is  detected. 

Kodak  adds  Bluetooth  to  digital  cameras 

As  part  of  celebrating  the  fifth  anniversary  of  its  EasyShare  consumer  digital 
cameras  and  printer  docks,  Kodak  last  week  announced  a  dual-lens,  Bluetooth- 
enabled,  6-megapixel  digital  camera  with  lOx  optical  zoom  features. 

Kodak  says  the  EasyShare  V610  is  less  than  1  inch  thick,  has  a  2.8-inch  LCD 
screen  and  sends  photos  wirelessly  to  any  Bluetooth-enabled  device. as  far  away 
as  30  feet.The  $449  camera  will  be  available  worldwide  this  month,  Kodak  says. 

The  company  also  announced  the  next  generation  of  its  EasyShareOne  camera, 
which  was  the  world’s  first  Wi-Fi  consumer  digital  camera.  This  6-megapixel  ver¬ 
sion  includes  a  new  Wireless  Internet  Service  Provider  recommendation  feature 
that  lets  users  increase  the  number  of  hot  spot  locations  they  can  connect  to  wire¬ 
lessly,  Kodak  says.  The  EasyShareOne  6  MP  camera  is  scheduled  to  be  available 
this  summer  for  $299,  with  a  $99  optional  Wi-Fi  card  accessory. 

Seagate  launches  750GB  external  hard  drive 

Seagate  Technology  last  week  announced  a  new  750GB  external  hard  drive,  the 
750GB  Pushbutton  Back-up  Hard  Drive,  designed  to  let  consumers  store  all  their 
digital  content.  It  can  save  as  many  as  15,000  digital  songs,  15,000  digital  photos, 
50  hours  of  home  videos,  50  computer  games  or  25  DVD  movies.  The  device  is 
expected  to  ship  next  month  for  about  $560,  Seagate  says. 

The  drive  is  based  on  the  company’s  Barracuda  7200.10  family,  which  includes  a 
data  density  of  1 10GB  per  square  inch  (as  many  as  188GB  per  disc).  It  features  an 
upright  stand,  non-slip  rubber  feet, and  a  power  button  that  lets  users  turn  the  drive 
on  or  off  without  turning  off  the  attached  computer. 

Shaw  can  be  reached  at  kshaw@nww.com. 
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HP  ProLiant  BL35p  BLADE  SERVER 


with  ProLiant  Essentials  Management  Software 

•  Up  to  2  Dual-Core  AMD  Opteron™  200  Series  processors 

•  High  density:  Up  to  96  servers  per  rack 

•  Flexible/Open:  Integrates  with  existing  infrastructure 

•  HP  Systems  Insight  Manager™:  Web-based  networked 
management  through  a  single  console 

•  Rapid  Deployment  Pack:  For  ease  of  deployment  and 
ongoing  provisioning  and  reprovisioning 

■  Integrated  Cisco  or  Nortel  switch  options 

Save  up  to  $450  on  select  AMD  based  Blade  Servers.1 


Chaos,  now  under 
your  control. 

HP  BladeSystem  servers  offer  tools  to  help  you  keep  pace  with  fluctuating  demands. 

The  HP  ProLiant  BL35p  Blade  Server  is  designed  to  relieve  some  of  the  stress.  Its 


with  StorageWorks  Essentials  Management  Software 

•  Up  to  24TB  of  capacity  (96  250GB  SATA  drives) 

■  Up  to  16TB  of  capacity  (56  300GB  SCSI  drives) 

•  Ability  to  mix  SCSI  and  Serial  ATA  enclosures  for 
greater  flexibility 

■  2GB/1GB  Fibre  connections  to  host 

Get  2TB  of  storage  free  ($2,008.80  value)2 


AMD  OpferonlM  processors  offer  dual-processor  power  with  breakthrough  efficiency. 
With  management  features  like  the  Rapid  Deployment  Pack  that  lets  you  deploy 
and  redeploy  blades  without  missing  a  beat,  and  a  single-view,  graphical  user 
interface  that  streamlines  monitoring  and  configuration,  HP  BladeSystem  servers  work 
with  you  so  you  don't  have  to  work  so  hard.  And,  bundled  with  the  StorageWorks 
MSA1500cs,  you  can  reduce  the  cost  and  complexity  of  deploying  a  storage  area 
network,  giving  you  a  better  return  on  investment. 

Save  up  to  $450  on  select  AMD  based  Blade  Servers.1 


AMD 


Opteron 


SMART  ADVICE  >  SMART  TECHNOLOGY  >  SMART  SERVICES 


Call  1-888-223-5441 
Click  hp.com/go/bladesmag49 
Visit  your  local  reseller 


1.  Save  up  to  $450  on  select  AMD  based  Blade  Servers.  Offer  valid  through  7/31/06.  2.  Receive  up  to  2TB  of  storage  free  with  purchase  of  HP  StorageWorks  Modular  Smart  Array  1500cs  devices.  Offer  valid  through  7/31/06  All  offers  available  from  HP  Direct  and  participating  resellers.  Prices  shewn 
HP  Direct  prices,  are  subject  to  change  and  do  not  include  applicable  state  and  local  sales  tax  or  shipping  to  recipient's  destination.  Reseller  prices  may  vary.  See  Web  site  for  full  details.  For  hard  drives,  1GB  =  1  billion  bytes.  Actual  formatted  capacity  is  less.  Photography  may  not  accurately  repress:  : 

configurations  priced.  Associated  values  represent  HP  published  list  price.  AMD,  the  AMD  Arrow  Logo,  AMD  Opteron  and  combinations  thereof  are  trademarks  of  Advanced  Micro  Devices,  Inc.  ©2006  Hewlett-Packard  Development  Company,  L.F. 
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Virtualization:  the 
best  get  better 

With  the  Microsoft  and  Linux  camps  starting  to  get  their 
acts  together  on  server  virtualization  (see 
www.nwdocfinder.com/3251),  we  decided  to  check  in 
with  VMware,  the  company  that  popularized  the  concept,  to 
see  what  gains  it  is  making  in  the  interim. 

Revenue  growth  tells  part  of  the  story:  Sales  last  year  were 
up  77%  to  $387  million.  Quarter-over-quarter  growth  is  in  the 
15%  to  20%  range, says  Raghu  Raghuram,vice  president  of 
Datacenter  and  Desktop  Platform  Products. 

While  that  shows  strong  acceptance,  perhaps  even  more 
telling  are  surveys  that  show  one  quarter  of  customers  now 
have  a  VMware-first  policy,  meaning  the  virtual  server  option 
has  to  be  considered  for  all  new  applications,  Raghuram 
says.That  approach  lets  the  best  operating  system  be  used 
for  each  application  and  delivers  other  benefits, such  as  ease 
in  moving  applications  around. 

“Applications  become  just  another  file,”  he  says.  Customers 
can  shuttle  programs  from  machine  to  machine  to  accom¬ 
modate  demand  spikes,  avoid  downtime  associated  with 
hardware  repairs  or  for  disaster  recovery  he  says. 

Server  consolidation  is  another  core  benefit.  Raghuram 
says  customers  typically  can  consolidate  three  to  seven 
servers  per  processor  core.“Some  conservative  users  will 
base  their  ROI  on  five  and  leave  it  at  that,  while  others  are 
squeezing  in  20,”  he  says. 

To  address  buyer  concerns  about  the  technology’s  making 
it  possible  to  put  too  many  eggs  in  one  basket,  the  company 
has  announced  two  technologies,  which  are  still  in  beta. 

One  is  Distributed  Availability  Services  (DAS),  an  add-on 
for  the  company’s  Virtual  Center  management  system. The 
tool  interfaces  to  system  vendors’  management  tools, 
which  monitor  for  anomalies  in  things  such  as  fan  speed 
and  heat,  letting  DAS  restart  a  virtual  machine  on  another 
box  in  a  cluster  and  move  an  application  before  a  failure 
occurs. 

The  other  technology  is  Distributed  Resource  Scheduler, 
which  lets  VMware’s  tools  schedule  application  processing 
chores  across  a  range  of  systems,  finding  the  optimum  place 
in  a  pool  of  resources  to  handle  a  given  task. 

To  keep  the  industry  momentum  going, VMware  is  working 
i;  three  virtualization  standards,  Raghuram  says:  how  virtual 
>  uv  ronments  are  managed;  how  virtual  environments  are 
;  -ciited  on  disk  (so  they  can  be  patched  and  backed  up 
•  :'jii  starting  the  virtual  machine);and  how  operating  sys¬ 
tem--  ;■  Tact  with  the  virtual  machine  layer  (to  ensure  inter- 
o  >ej ability  across  environments). 

V-  •  i  ’petition  is  on  the  horizon,  but  VMware  has  a 
i  :  urt  The  emerging  techs  have  a  long  way  to  go  to 

catch  up. 


Opinions 

CipherTrust  responds 

We  at  CipherTrust  were  very  disappointed  to  read 
Joel  Snyder’s  description  of  his  experience  with  our 
company  and  his  implication  that  our  process 
somehow  hurts  customers  (www.nwdocfinder 
.com/5223). 

After  Snyder  originally  contacted  us  to  purchase 
our  product,  we  learned  that  it  was  for  the  benefit  of 
a  third  party.  When  asked  for  the  name  of  the  user, 
Snyder  refused  to  give  us  that  information.  Because 
of  this,  CipherTrust  was  reluctant  to  sell  him  our 
appliance;  clearly,  this  frustrated  him.  This 
CipherTrust  process  has  been  overwhelmingly  suc¬ 
cessful  in  providing  a  positive  experience  of  product 
delivery  and  support  to  more  than  2,000  of  our 
enterprise  customers. 

For  us,  the  initial  sale  marks  the  beginning  of  a 
long-term  relationship  with  a  customer.  Over  the  life¬ 
time  of  this  relationship,  customers  receive  a  variety 
of  products  and  services,  including  installation,  tech¬ 
nical  and  product  support,  as  well  as  regular 
updates  and  upgrades  to  keep  them  protected  from 
new  security  threats.Therefore,  knowing  the  identity 
of  our  customers  is  critical. 

Furthermore,  as  a  mature  company  with  well- 
defined  accounting  and  financial  processes,  we 
must  ensure  that  we  correctly  attribute  every  prod¬ 
uct  sale  to  the  respective  customer  —  regardless  of 
whether  a  customer  bought  the  product  directly 
from  us  or  through  one  of  our  partners. 

We  have  a  separate  and  flexible  program  for  inde¬ 
pendent  testing  labs  to  evaluate  our  products.  In  this 
case,  there  is  no  need  to  purchase  the  product,  as 
evaluations  can  be  conducted  free  of  charge  after 
signing  an  evaluation  agreement.  We  have  informed 
Snyder  that  he  is  welcome  to  evaluate  our  products 
for  his  independent  consulting  projects  by  working 
with  our  marketing  department,  and  that  we  will 


extend  him  our  complete  support  (similar  to  when 
he  evaluated  our  products  on  behalf  of  Network 
World’s  official  evaluation  in  December  2004). 

We  look  forward  to  working  with  Snyder  on  this  in 
the  near  future. 

Atri  Chatterjee 
Senior  vice  president,  marketing 
CipherTrust 
Sunnyvale,  Calif. 

Vista  delay  no  big  deal 

Regarding  “Microsoft  plays  games  with  Vista  ship 
date”  (www.nwdocfinder.com/5224):  I  find  it  funny 
that  so  many  recent  articles  treat  Microsoft’s  deci¬ 
sion  to  delay  the  rollout  of  Vista  for  a  couple  of 
months  as  if  it  were  some  kind  of  doomsday  predic¬ 
tion.  Sure,  everyone  likes  to  poke  fun  at  Gates  &  Co., 
but  really  how  much  does  it  matter? 

If  the  need  for  a  new  operating  system  from 
Microsoft  is  so  critical,  how  come  so  many  organiza¬ 
tions  still  have  boxes  with  an  8-year-old  operating 
system  (Windows  98)  still  running?  There  may  be 
some  high-powered  enterprises  out  there  that  have 
pushed  XP  to  its  limits,  but  there  can’t  be  many  1  run 
a  1, 009-node  network  with  XP  SP2  on  the  desktop.  It 
is  reliable,  performs  well  and  is  quite  manageable  for 
my  three-person  tech  department.  If  I  have  to  wait  18 
months  for  the  latest  and  greatest,  so  be  it.  If 
Microsoft  wants  to  delay  the  beginning  of  its  rev¬ 
enue  stream  from  this  new  operating  system  a  few 
more  months,  how  does  that  hurt  me? 

Gary  Olson 
Director  of  technology 
De  Soto  School  District  #73 
De  Soto,  Mo. 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief.  Network  World,  1 1 8  Turnpike  Road,  Southborough,  MA  01772. 
Please  include  phone  number  and  address  for  verification. 


Readers  respond  Find  out  what  readers  are  saying  about  these  and  other  topics. 

www.nwdocfinder.coin/1030 


—  John  Dix 
Editor  in  chief 
jdix@nww.com 
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STRATEGY  SESSION 
Jeff  Kaplan 


CACHE  ADVANCE 
Linda  Musthaler 


Bridging  the  fTIL-SOA  gap 


Two  of  today’s  most  popular  acronyms  in  the 
alphabet  soup  of  the  IT  industry  are  ITIL  and 
SOA.The  IT  Infrastructure  Library  has  gained 
attention  as  a  governance  framework  aimed  at 
helping  IT  operations  people  become  more  pro¬ 
ductive  and  effective, while  service-oriented  archi¬ 
tecture  has  become  the  guidepost  for  software 
developers  seeking  to  make  their  applications 
more  user-friendly  and  flexible.  Although  these 
two  concepts  complement  each  another,  many 
organizations  have  failed  to  align  their  ITIL  and 
SOA  initiatives  properly 

ITIL  and  SOA  are  not  new,  but  they  are  gaining 
greater  attention  as  impatience  with  IT  inefficien¬ 
cies  and  application  inflexibility  reaches  an  all- 
time  high.  ITIL  provides  a  time-tested  set  of 
straightforward  principles  for  organizing  an  effec¬ 
tive  IT  operations  group.  It  includes  structural  and 
policy  guidelines,  as  well  as  step-by-step  proce¬ 
dures  to  create  a  more  democratic  and  cost-effec¬ 
tive  IT  governance  process  to  better  support  an 
organization’s  business  objectives.  Underlying 
these  elements  is  the  premise  that  IT  should  serve 
the  organization  rather  than  complicate  it.  SOA 
was  created  to  achieve  similar  objectives  by  pro¬ 
viding  technical  guidelines  to  help  software 
developers  design  applications  that  better  serve 


the  overall  organization  and  individual  users. 

Despite  the  common  goals  and  guiding  princi¬ 
ples  of  ITIL  and  SOA,  there  is  a  chasm  in  many 
organizations  between  these  two  efforts.  This  is 
because  some  of  the  fundamental  problems  that 
have  produced  inefficient  IT  operations  and  unre¬ 
sponsive  business  applications  also  are  conspir¬ 
ing  to  derail  many  ITIL  and  SOA  initiatives.  The 
most  significant  obstacle  is  the  psychological  dis- 

Many  companies  are  con¬ 
ducting  separate  ITIL  and 
SOA  efforts  in  a  vacuum. 

tance  and  structural  barriers  between  the  IT 
operations  and  software-development  teams.  At 
the  risk  of  overgeneralizing,  IT  technicians  focus 
on  controlling  their  operating  environment,  while 
software  developers  are  preoccupied  with  creat¬ 
ing  new  application  capabilities.  A  long  history  of 
working  apart  and  often  at  odds  has  created 
enough  apprehension  between  these  two  groups 
to  make  it  difficult  to  put  aside  their  differences  to 
achieve  a  common  objective. 

This  leads  to  the  second  obstacle  to  success. 
Many  organizations  have  permitted  the  same 


structural  barriers  that  got  in  the  way  of  properly 
coordinated  IT  operations  and  software  develop¬ 
ment  in  the  past  to  continue  even  as  they  have  ini¬ 
tiated  their  ITIL  and  SOA  adoption  efforts.  Rather 
than  use  these  initiatives  to  break  through  organi¬ 
zational  silos,  many  companies  are  conducting 
separate  ITIL  and  SOA  efforts  in  a  vacuum.  Just  as 
two  trains  gaining  speed  on  parallel  tracks  will 
create  a  tremendous  collision  when  their  paths 
finally  cross,  many  organizations  also  find  that 
their  independent  ITIL  and  SOA  initiatives 
encounter  serious  setbacks  when  they  finally 
merge. 

The  key  to  success  is  integrating  and  aligning 
your  ITIL  and  SOA  initiatives  early  Make  sure  that 
there  is  sufficient  cross-representation  of  the  IT 
operations  staff  and  software  developers  in  both 
efforts.  Establish  a  coordinating  committee  that 
ensures  the  overall  goals  and  specific  procedural 
guidelines  of  the  initiatives  are  tightly  coupled. 
And  build  into  your  ITIL  framework  and  SOA  an 
ongoing  communications  and  reporting  mecha¬ 
nism  to  encourage  real  collaboration. 

Kaplan  is  managing  director  ofThinkStrategies,  a 
consultancy  in  Wellesley,  Mass.  He  can  be  reached 
at  jkaplan@thinkstrategies.  com. 


Porn  purveyors  may  be  in  the  next  cubicle 


News  about  Internet-enabled  child  pornogra¬ 
phy  is  rampant  today  It  seems  you  can’t 
watch  TV  news  without  another  startling 
arrest  story  followed  by  an  interview  with  an 
expert  about  how  to  keep  your  children  safe 
while  online. 

It’s  great  that  parents  are  learning  more  about 
how  to  protect  their  young  from  predators.Today, 
however,  I  want  to  talk  about  how  employers  can 
protect  themselves  from  predators  and  how  they 
can  protect  the  stupid  predators  from  them¬ 
selves. 

In  March,  a  program  executive  in  NASA’s 
Washington,  D.C.,  headquarters  was  accused  of 
using  his  office  computer  (as  well  as  his  home 
computer)  to  send  and  receive  child  pornogra¬ 
phy  You  can  read  the  detailed  allegations  of 
wrongdoing  in  the  affidavit  for  a  search  warrant 
at  www.nwdocfinder.com/3222.According  to  the 
document,  the  alleged  perpetrator  used  a  fake 
name  to  exchange  e-mails  containing  inappro¬ 
priate  materials.  Although  he  tried  to  hide  his 
identity,  his  static  IP  addresses  pointing  to  his 
home  and  office  were  strong  clues  for  the  inves- 
tigators.When  the  computers  were  searched, sure 
enough,  the  contraband  files  were  discovered. 

To  its  credit,  NASA  helped  finger  the  guy  when 
Web  content  filter  logs  showed  that  pornograph¬ 
ic  Web  sites  (identified  by  IP  address)  were  being 
viewed  from  the  man’s  office  computer.  In  addi¬ 
tion,  NASAs  skin-tone  filtering  system  detected 
that  pornographic  materials  were  being  viewed 
on  the  employee’s  PC. 

A  similar  case  involves  an  assistant  principal  at 


a  New  York  high  school  who  recently  pleaded 
guilty  to  using  his  workstation  at  school  to  down¬ 
load  and  trade  pornography  He  also  admitted 
soliciting  underage  girls  for  sex.  Yet  another 
recent  case  points  to  a  deputy  press  secretary 
from  the  Department  of  Homeland  Security  — 
you  guessed  it  —  downloading  porn  and  solicit¬ 
ing  young  girls. 

These  men  are  sick;  there’s  no  doubt  about  that. 
They  deserve  to  be  arrested  and  removed  from 
our  society  through  lengthy  jail  terms.  I’m  just 
grateful  we  have  the  technology  today  to  monitor 
and  trace  the  activities  of  people  like  this. 

Other  employees  need  to 
have  a  message  saying, 
“This  content  is  blocked.” 

Which  brings  me  to  the  point  I  want  to  make: 
Technology  is  a  tool  that  can  help  protect  us  all. 
I  am  including  employers  in  my  definition  of“us.” 

According  to  Websense,  a  vendor  of  Web  secu¬ 
rity  and  filtering  software,  70%  of  porn  is  down¬ 
loaded  between  9  a.m.  and  5  p.m.  What’s  more, 
37%  of  at-work  Internet  users  in  the  United  States 
have  visited  an  X-rated  Web  site  from  work;  25% 
of  all  search-engine  requests  are  porn  related. 
These  statistics  seem  to  show  that  employees  like 
the  fast  office  connection  that  allows  them  to 
view  or  download  inappropriate  materials  in  less 
time  than  it  would  take  at  home. 

Many  employers  block  this  type  of  material 
with  Web-filtering  and  content-blocking  software, 


such  as  that  from  Websense  or  ContentWatch. 
Many  others,  however,  just  haven’t  seen  the  need 
to  incur  the  overhead  of  Web-filtering  software. 

For  the  companies  in  the  latter  category  let’s 
play  the  what-if  game.  What  if  it  was  your  em¬ 
ployee  who  used  your  company’s  resources  to 
download  child  porn  and  trade  it  online?  What  if 
CNN  was  blasting  your  company  name  every  half 
hour  as  the  story  got  told  over  and  over  again, 
and  images  of  your  corporate  headquarters  were 
shown,  surrounded  by  police  cars  and  FBI 
agents?  What  if  the  child  victim’s  parents  sued 
your  company  for  permitting  the  employee  to  do 
this  while  at  work?  What  if  fellow  employees  sued 
over  a  hostile  work  environment? 

For  most  employees,  it’s  enough  to  tell  them  that 
company  policy  forbids  them  from  visiting  porn 
Web  sites  at  work.  Other  employees  need  to  have 
a  message  saying,  “This  content  is  blocked,”  to 
remind  them  not  to  go  there.  A  few  need  repri¬ 
mand  or  dismissal  if  they  persist,  especially  if  the 
activity  is  illegal  and  not  just  immoral. 

Web-filtering  and  content-blocking  software 
should  be  a  standard  part  of  your  network.  It’s 
insurance  against  situations  like  the  ones  above. 

Ironically,  1  had  to  write  this  column  at  home, 
because  the  office  in  which  I  work  blocked  some 
of  the  search  words  1  used  in  my  research. To  my 
network  administrator,  1  say“Way  to  go!” 

Musthaler  is  vice  president  of  Currid  & 
Company,  a  Houston-based  technology  assess 
meat  firm.  She  can  be  reached  at  linda@ 
currid.com. 
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INTEROPLABS  HITS  ON  NAC, 
VOIP  AND  OPEN  SOURCE 

In  some  settings  the  word  "lab" 

conjures  up  sterile  images  of  long,  stainless- 
steel  countertops,  white  rats  and  even  whiter 
lab  coats.The  HotStage  event  for  the  2006  Interop- 
Labs  takes  place  in  a  drafty  warehouse  in  Belmont, 
Calif.,  and  is  more  about  long  racks  of  networking 


INTEROP  LABS 

EXPLORATION 

End-to-end  NAC 
remains  difficult 


gear,  box  monkeys  andT-shirts  and  jeans  —  but  the 


work  is  nonetheless  pretty  valuable. 

InteropLabs  is  the  experimental  portion  of  the 
Interop  show  network.  In  it,  dozens  of  experienced 
network  engineers  test  hundreds  of  commercial 
and  open  source  products,  focusing  on  how  the 
gear  can  work  together  peacefully  on  a  corporate 
network. The  testing  culminates  in  a  series  of  for¬ 
mal  demonstrations  on  the  show  floor  this  week  in 
Las  Vegas,  but  the  testing  process  itself  provides  a 
window  into  how  these  products  integrate  stan¬ 
dard  protocols  —  as  well  as  the  hoops  you  may 
need  to  jump  through  to  get  them  working  as  a 
coherent  whole  on  your  own  network. 

As  the  media  sponsor  of  InteropLabs,  Network 
World  gets  exclusive  access  to  the  testing  results 
from  the  InteropLabs  HotStage  event  that  took 
place  in  early  April.  The  three  focal  points  of  this 
year's  InteropLabs  demonstration  areas  explored 
these  questions: 

•  Can  the  network  access  control  (NAC)  products 
being  touted  by  almost  every  security  vendor  today 
actually  work  together  to  fulfill  the  promise  of  a 
safer  network? 

•  What  happens  when  previously  interoperable 
VoIP  devices  go  to  work  in  decidedly  unfriendly 
environments,  such  as  through  security  devices 
with  network  address  translation  turned  on  or 
across  wireless  LAN  links? 

•  Can  open  source  operating  systems  and  appli¬ 
cations  integrate  with  existing  Windows  environ¬ 
ments  for  a  peaceful,  manageable  corporate  net¬ 
work?  (See  www.nwdocfinder.com/3221.) 

We’ve  placed  Network  World  Lab  Alliance  partner 
Joel  Snyder  on  the  NAC  team,  alliance  partner 
I  David  Newman  on  the  VoIP  team  and  alliance  part¬ 
ner  Rodney  Thayer  on  the  open  source  team.  Read 

‘ 

on  o  find  the  lessons  learned  from  these  signifi¬ 
cant  testing  endeavors. 


BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 

Network  access  control  is  a  phrase  on  every¬ 
one’s  lips,  but  InteropLabs’  testing  shows  that 
completely  interoperable,  enterprise-class  NAC 
products  are  not  here  yet  —  though  they  could 
be  just  around  the  corner. 

The  InteropLabs  NAC  team  built  three  demonstration  areas,  each  devoted  to  a  single  architectural 
model:  Trusted  Computing  Group’s  Trusted  Network  Connect  (TCG-TNC),  Microsoft’s  Network  Access 
Protection  (NAP)  and  Cisco’s  Network  Admission  Control  (C-NAC).  Our  goal  was  to  bring  together  inter¬ 
operable  products  in  each  NAC  silo  and  build  a  complete,  end-to-end  deployment.  Overall,  we  did  find 
interoperable  products  within  each  silo,  but  no  NAC  architecture  is  completely  filled  out  with  products 
at  this  time. TNC,  the  simplest  of  our  demonstration  areas,  came  up  in  just  a  few  hours,  but  NAP  and  C- 
NAC  took  several  engineers  and  a  very  long  weekend  to  get  to  a  stable  state.  In  both  these  tough  cases, 
we  would  not  have  been  as  successful  as  we  were  without  substantial  onsite  advice  from  vendor  engi¬ 
neers  who  had  been  through  the  exercise  in  their  own  interoperability  labs. 

The  world  of  NAC  is  full  of  all-in-one  solutions  from  vendors  that  offer  to  solve  some  of  a  company’s 
NAC  problems  most  of  the  time. The  whole  point  of  InteropLabs  is  interoperability,  and  we  looked  for 
products  from  multiple  vendors  that  plug  into  open  architectures.  Unfortunately  for  the  enterprise 
buyer,  InteropLabs’  focus  throws  a  blinding  spotlight  on  the  lack  of  interoperable  solutions  in  the  NAC 
marketplace. 

For  example,  Lockdown  Networks  came  in  to  integrate  its  product  into  the  NAP  demonstration  area. 
Lockdown  offers  a  “complete,”  end-to-end  NAC  system,  but  it’s  complete  only  if  you  use  its  product  and 
its  strategy  for  everything  from  the  server  to  the  client  and  every  enforcement  technology  in  between. 
We  tried  to  bolt  the  Lockdown  system  into  the  NAP  policy  decision  point  (the  place  in  the  network 
where  NAC  policy  decisions  are  made.  But  Lockdown  quickly  pulled  back  from  full  participation,  but 
promised  to  come  back  at  Interop  for  another  grab  at  the  NAP  ring. 

In  other  cases  our  implementation  was  stalled  merely  by  the  fact  there  were  no  vendors  from  which 
to  choose.  In  the  NAP  silo,  for  example,  not  a  single  vendor  came  forward  with  client-posture  data-col- 
lection  and  validation  add-ins  for  the  Microsoft  client.This  may  not  be  such  a  big  surprise, seeing  that  we 
are  a  nine  months  out  from  the  release  of  Vista/Longhorn  —  the  version  of  Windows  that  will  fully  sup¬ 
port  NAP —  but  it  is  evidence  of  how  new  and  untested  this  technology  is.  In  the  TNC  test  network,  we 
had  three  integrity-measurement  validators  available  —  but  only 
because  engineers  at  Juniper  Networks  had  written  all  three. 


Trusted  Computing  Group's  Trusted  Network  Connect 

The  TNC  interoperability  demonstration  comprised  Juniper’s 
Odyssey  client  on  the  user’s  system  and  Juniper’s  Steel-Belted 
Radius  (SBR)  server  as  the  policy  decision  point.  This  demo  came 
up  fast,  but  there’s  a  caveat:  Juniper  has  plans  to  move  on  from  the 
products  it  brought  to  InteropLabs.  Infranet,  Juniper’s  original  NAC 

See  NAC,  page  44 
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Lost  in  NAC  terminology? 

Can't  tell  your  IMV  from  your  PDP? 

See  www.nwdocfinder.con/3226  for 
our  guided  tour  of  NAC  terms. 
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Aruba’s  Mobile  Edge  moves  with  you  into  the  future  of  wireless 


Imagine  having  your  corporate  resources  move  with  you  everywhere  you  go.  In  public 
places  like  airports,  hotels,  coffee  shops  and  cafes,  your  house,  or  your  partner’s  offices. 

Aruba  Wireless  Networks  can  get  you  there.  And  we’re  more  secure  than  your  current 
wired  network  with  our  Mobile  Edge  Architecture  and  our  Identity-based  security  strat¬ 
egy.  We  secure  people  not  ports  -  and  in  today’s  world,  you  need  to  be  secure  wherever 
you  are,  not  just  at  your  desk  or  in  your  office! 

And  our  WLAN  infrastructure  can  get  your  Enterprise  going  with  solutions  for  Enterprise¬ 
wide  WLAN,  Guest  Access,  Remote  and  Branch  Office  Access,  WLAN  Intrusion  Preven¬ 
tion,  and  Voice  over  IR  just  to  name  a  few. 


Did  we  mention  that  we  don’t  require  you  to  disrupt  your  entire  Enterprise  wired  network 
to  install  our  Mobile  Edge  solutions.  Or  to  constantly  make  expensive  upgrades  to  your 
wiring  closet.  We  don’t  (but  we  know  someone  who  does)! 

These  are  just  a  few  of  the  reasons  why  Aruba  is  The  Mobile  Edge  Company  ”  -  taking 
your  wireless  network  where  it  needs  to  go  with  a  TOO  far  below  competitive  solutions. 

To  find  out  more  about  Aruba’s  Mobile  Edge  solutions  and  how  to  become  an  Aruba 
channel  or  technology  partner,  please  visit 

www.arubanetworks.com/partners6 

Aruba's  Mobile  Edge  moves. 

See  Aruba  at  Booth  725,  Interop  Las  Vegas  at  Mandalay  Bay. 
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The  Mobile  Edge  Company 
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architecture,  is  undergoing  a  radical  restructuring  as  a 
result  of  the  company’s  acquiring  Funk  Software  last 
December. 

In  the  InteropLabs  testing,  we  heard  about  one  of  the 
main  reasons  Funk  was  so  attractive  to  Juniper:  a  fully 
operable  NAC  product  based  on  the  TNC  architecture. 
Juniper  promised  to  bring  Version  2.0  of  its  NAC  product 
set  to  Interop,  which  will  combine  the  client  and  server 
pieces  from  Funk  with  its  own  Infranet  Controller  policy 
management  tools.  This  combination  should  help  push 
Junipers  firewalls  and  SSL  VPN  devices  as  enforcement 
points  inside  the  TNC  realm. 

In  our  InteropLabs  silo,  we  built  a  network  where  the 
policy-enforcement  point  (the  place  in  the  network 
where  NAC  policy  is  enforced)  could  be  any  of  four 
802.1X-compliant  switches  from  Cisco,  Enterasys,  Extreme 
and  HPor  of  two  802.1X-compliant  wireless  access  points 
from  Cisco  and  Enterasys. 

To  the  network’s  policy  decision  point,  we  bolted  in  a 
Symantec  integrity-measurement  validator  atop  Juniper’s 
SBR  server.  Juniper  has  built  four  TNC  integrity-measure¬ 
ment  validators  for  IBM/Tivoli,  McAfee,  PatchLink  and 
Symantec.  We  were  disconcerted  to  find  that  only  Juniper 
is  shipping  a  production  TNC  client.  Of  course,  some  of 
this  scarcity  is  because  of  incomplete  TNC  specifications. 
Our  hope  is  that  by  this  time  next  year,  we’ll  have  more 
choice  in  clients. 

Because  all  the  switches  and  access  points  support  RFC 
3580  —  virtual  LAN  assignment  —  we  showed  that  clients 
moving  in  and  out  of  compliance  would  be  shunted  off 
to  production  or  quarantine  VLANs. This  was  a  fairly  lim¬ 
ited  demonstration  but  showed  one  small  aspect  of  NAC’s 
promise. To  extend  our  reach  into  more  interesting  areas 
to  be  addressed  by  NAC  in  the  future,  Mark  Townsend,  the 
Enterasys  engineer  onsite  during  HotStage,  brought  the 
Enterasys  switch  into  the  picture  with  finer-grained  access 
controls  —  simple  packet  filters  —  in  place. 

This  was  an  interesting  experiment  because  it  illustrated 
the  perils  of  mixing  different  switches  in  a  NAC 
network.  We  discovered  if  we  took  advantage  of 
the  access-control  list  features  of  the  Enterasys 
switch,  several  other  switches  quit  working  as 
NAC  policy-enforcement  points.  We  also  saw  dis¬ 
agreement  between  switches  about  the  format  of 
the  RADIUS  attributes  sent  by  the  SBR  server.  For¬ 
tunately,  we  had  Juniper  engineers  Christian  Mac¬ 
Donald  and  Jeff  Reilly  onsite  to  add  the  neces¬ 
sary  magic  to  the  SBR  server  to  resolve  this  issue 
by  creating  separate  RADIUS  dictionaries  for 
each  device.  Regardless  of  the  happy  ending,  it  is 
a  harsh  lesson  on  how  brittle  a  NAC  deployment 
can  be  and  how  much  expertise  is  required  to 
put  all  the  pieces  together  in  good  working  order. 

In  addition  to  the  Juniper  implementation,  the 
TNC  team  had  a  parallel  NAC-deployment  effort 
going  on  that  used  open  source  tools.  Chris 
Messing  from  the  University  of  Utah  is  one  of  the 
lead  developers  of  Xsupplicant,  the  open  source 
302.  IX  supplicant  for  Linux  systems.  Hessing 
worked  with  Mike  McCauley  of  Open  Systems 
Consultants  to  add  TNC  support  to  Xsupplicant 
and  Radiator,  a  commercial  RADIUS  server.  By 
the  end  of  HotStage,  Hessing  had  Xsupplicant  on 


the  access-requester,  talking  to  Radiator  on  the  policy- 
decision-point  side  using  a  Vernier  EdgeWall  gateway  as 
the  policy-enforcement  point.The  effort  won’t  have  much 
commercial  impact  (because  enterprises  rarely  worry 
about  the  endpoint-security  status  of  their  Linux  desk¬ 
tops),  but  it  does  represent  an  invaluable  reference  plat¬ 
form  for  software  developers  looking  to  test  interoper¬ 
ability  or  just  to  see  “how  it  all  fits  together” 


Microsoft’s  Network  Access  Protection 

Without  a  guided  tour  showing  exactly  what  build  to 
install  and  how  to  avoid  the  product’s  rough  spots,  no  one 
but  an  experienced  Microsoft  engineer  stands  a  chance 
at  getting  NAP  running  at  this  stage  in  the  Vista/Longhorn 
beta  cycle.  Our  team,  led  by  Craig  Watkins,  one  of  Interop’s 
most  senior  network  engineers, spent  the  first  four  days  of 
the  HotStage  downloading  code  from  the  Microsoft  site, 
guessing  which  components  to  install  and  floundering 
over  the  Longhorn  server  and  Vista  client,  to  no  avail. 
Then,  thankfully  Microsoft  sent  down  Chris  Edson,  one  of 
NAP’s  test  engineers,  and  things  began  to  fall  into  place. 

Although  NAP  is  slated  to  integrate  with  many  access 
methods,  such  as  IPsec  VPNs,  our  demonstration  focused 
on  using  it  in  an  802.  IX,  wired  and  wireless  LAN  (WLAN) 
environment.  We  assembled  switches  from  Cisco,  Enter¬ 
asys,  Extreme,  HP  and  Nortel,  and  access  points  from 
Aruba  Wireless  Networks,  Cisco  and  HP  as  our  policy- 


enforcement  points.  In  the  world  of  NAP  looking  for  in¬ 
tegrity  measurement  collectors  (software  on  the  client 
that  gather  endpoint-security  information)  and  integrity- 
measurement  validators  is  not  so  easy 

Microsoft  has  an  integrity-measurement  collector-val¬ 
idator  pair  that  evaluates  Windows  security  settings,  such 
as  the  state  of  its  built-in  firewall,  and  Windows  Update. 
But  no  other  collector  and  validator  tools  are  ready  to  go 
at  this  early  date  in  Vista/Longhorn’s  life  cycle.  The  one 
closest  to  being  ready  is  a  tool  from  CA  for  eTrust  Anti¬ 
virus,  because  Microsoft  uses  the  tool  for  its  internal  beta 
testing.  We  stuck  with  Microsoft’s  own  collector  and  val¬ 
idator  tools. 

Our  results  were  mixed,  especially  in  the  wireless  arena, 
but  this  probably  has  more  to  do  with  the  newness  of 
Longhorn  and  Vista  than  with  defects  in  the  NAP  software. 
For  example,  at  one  point  the  network  policy  server  (NPS) 
on  our  Longhorn  server  (which  is  Microsoft’s  policy  deci¬ 
sion  point)  started  recording  errors  in  the  log  file  rather 
than  responding  to  NAP  authentication  requests,  indicat¬ 
ing  that  something  had  broken  between  the  Longhorn 
TCP/IP  stack  and  the  NPS  application.  A  quick  reboot 
solved  the  problem,  but  finding  the  suddenly  errant  serv¬ 
er  took  time.  Our  experiences  on  the  client  side  were  also 
inconclusive.  We  had  two  identical  laptops  running  Vista, 
and  until  the  wee  hours  of  the  morning,  one  laptop 
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Where  NAC  schemes  break  down 


As  described  in  most  network  access  control  achitectural  diagrams,  when  a  client  requests  access  to  the 
network,  an  access  requester  gathers  information  about  the  state  of  that  endpoint  machine  and  passes 
it  on  to  a  policy  decision  point,  which  determines  whether  that  client  machine  is  worthy  of  a  place  on  the 
network.  If  it  is,  the  policy  enforcement  point  allows  the  machine  onto  the  network.  If  it  is  not,  the  policy 
enforcement  point  either  quarantines  it  to  a  place  on  the  network  where  it  can  be  upgraded  to  comply  with 
network  standards  or  blocks  access  completely.  In  practice,  though,  as  was  shown  in  testing  these  product 
as  part  of  the  InteropLabs  NAC  initiative,  things  don't  always  work  as  smoothly  as  planned.  Here  are  the 
trouble  spots... 


ACCESS  REQUESTER  {CLIENT} 


POLICY  DECISION  POINT 


Ttie  broker  piece  within  each 
NAC  architecture  is  a 
single-vendor  solution,  which 
dramatically  reduces 
interoperability  problems. 
Within  the  Trusted 
Computing  Group  Trusted 
Network  Connect  (TCG-TNC) 
architecture,  other  brokers 
may  become  available  soon. 


Integrity  mi 
collei 


There  are  very  few  posture  collectors  and 
validators  available  today.  There  are  none  for 
Microsoft's  Network  Access  Protection 
architecture  only  four  preliminary  ones  for  TCG- 
TNC  and  a  handful  for  Cisco's  Network  Admission 
Control  architecture.  At  Interop,  announcements 
from  multiple  posture  collector  and  validator 
vendors  regarding  their  support  for  various 
NAC  schemes  are  expected. 
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Policy  enforcement  point 
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NAG  cfients  are  avalabie  onjy 
for  Windows  right  now. 
Xsupplicant,  a  Linux  TCG- 
TNC  client,  is  under 
development.  Other 
platforms,  from  Macs  to 
printers,  may  require  a 
different  strategy  for  full 
interoperability. 


irement 


Network  access 
requester 


The  biggest  interoperability  issue  the 
InteropLabs  engineers  found  was  how 
802.1X-capable  switches  interpreted 
RADIUS  attributes  and  what  formats 
they  required.  Not  every  vendor  was 
strictly  compliant  with  the  RADIUS. 
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Network  access  authority 
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Sterling  Commerce  leads  the  world  in  helping 
businesses  collaborate  with  their  partners. 


Of  course,  we've  had  a  30  year  head  start. 


For  over  30  years,  Sterling  Commerce  has  led  the  industry  in  helping  successful  organizations  work  more 
effectively  with  suppliers,  subsidiaries  and  customers.  Now,  with  the  first  platform  to  meet  all  the  challenges 
of  real-world  multi-enterprise  collaboration,  Sterling  Commerce  can  help  you  achieve  end-to-end  visibility, 
and  real-time  control  over  shared  business  processes.  So  you  can  make  faster,  better-informed  decisions  to 
help  cut  costs  and  accelerate  time  to  market.  In  fact,  a  majority  of  the  world's  leading  companies  already 
depend  on  us.  That's  a  tough  act  to  follow.  Contact  us  today.  Or  visit  us  at  www.sterlingcommerce.com 
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worked  very  well,  but  the  other  would¬ 
n’t  authenticate  at  all.  The  next  day 
mirabile  dictu,  everything  was  fine. 

In  another  example  of  the  newness  of 
the  platform  raising  warning  flags 
about  NAC,  we  can  point  to  Vista  not 
handling  DHCP  correctly  when  on  a 
wireless  network  and  flopping  between 
quarantine  and  production  networks, 
which  required  manual  intervention. 
From  the  point  of  view  of  interoperabil¬ 
ity  however,  NAP  worked  well  with  the 
wired  and  wireless  devices  we  tested. 
We  ran  into  the  same  RADIUS  format- 
ting-interoperability  problem  that  we 
saw  in  TNC,  but  solved  it  using  mecha¬ 
nisms  built  into  Microsoft’s  NPS  tool. 

Cisco's  Network  Admission  Control 

Our  C-NAC  demonstration  had  mixed 
success:  What  we  tried  worked,  but 
because  of  time  constraints,  we  could¬ 
n’t  explore  the  breadth  of  the  C-NAC 
architecture.  With  extensive  onsite  sup¬ 
port  from  InfoExpress  and  LANDesk, 
the  C-NAC  team,  led  by  Brett  Thorson,  a 
network  scientist  specializing  in  IPv6 
security  built  a  C-NAC  network  with 
multiple  integrity  measurement  collec¬ 
tor  and  validator  pairs. What  Ciscos  net¬ 
work  lacks  in  openness  at  the  network 
policy  enforcement  point  layer  —  you 
can  use  only  Cisco  switches  —  it  makes 
up  for  in  the  availability  of  third-party, 
interoperable  tools  to  help  in  making 
the  policy  decision. 

Cisco  provided  great  hardware  sup¬ 
port  but  couldn’t  spare  any  staff  to 
help  with  configuration.  That  left  us 
fairly  high  and  dry  in  getting  things  to 
work  together  properly  in  fairly  short 
order.  Cisco  Trust  Agent  (CTA)  client- 
side  software  uses  strategies  that  de¬ 
pend  on  a  network's  topology  to  get 
information  about  endpoint  security 
assessment  from  the  integrity  mea¬ 
surement  collector  to  the  validator.  We 
used  its  extensible  authentication  pro- 
tocol-over-User  Datagram  Protocol 
(UDP)  strategy  with  Cisco  routers  and 
switches  as  a  first  stab  at  the  problem, 
with  a  plan  to  move  to  the  EAP-over- 
802. IX  option  if  time  permitted.  Be¬ 
cause  of  time  constraints,  we  couldn’t 
attempt  Ciscos  clientless  option, Cisco 
Clean  Access  (from  the  Perfigo  acqui¬ 
sition)  or  its  own  host  intrusion-detec¬ 
tion  system,  Cisco  Secure  Access 
(from  the  Okena  acquisition). 

On  the  access-requester  side,  Cisco 
provides  Cisco  Trust  Agent,  talking  to 
Cisco’s  Access  Control  Server  (ACS) 
Version  4.0  Radius  server  on  the  poli- 
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cy-decision-point  side. 

We  used  a  Cisco  3550  LAN  switch  as 
our  policy  enforcement  point  and 
brought  InfoExpress’  CyberGatekeeper 
and  LANDesk’s  Management  Suite  in 
as  integrity  measurement  collectors 
and  validators,  with  a  piece  sitting  on 
the  clients  and  InfoExpress  and 
LANDesk  servers  running  within  the 
policy  decision  point,  talking  to  the 
Cisco  ACS  RADIUS  server. 

We  observed  that  the  integration  be¬ 
tween  LANDesk  and  InfoExpress  and 
Cisco’s  ACS  wasn’t  going  to  work  in  all 
situations.  In  particular,  we  saw  the 
client-side  tools  could  use  only  the  C- 
NAC  path  to  get  their  integrity  infor¬ 
mation  to  their  servers.  They  had  to 
have  an  unencumbered  path  on  the 
network.  This  would  cause  issues  if  a 
company  wanted  to  mix  EAP-over- 
UDP  and  EAP-over-802.1X  communi¬ 
cation  streams  in  its  network. 
LANDesk  was  compatible  only  with 
the  older  versions  of  CTA  (before 
Version  2.0),  and  the  company’s  engi¬ 
neer  onsite  couldn’t  integrate  his  tools 
with  the  current  version  of  the  CTA 
client  C-NAC  tool. 

Although  the  Cisco  solution  took 
longer  to  set  up  than  we  had  expected, 
we  found  good  interoperability  be¬ 
tween  security  management  tools  sit¬ 
ting  on  top  of  CTA  on  the  client  side 
and  on  top  of  ACS  on  the  server  side. 
Making  changes  to  the  network  was 
also  easy 

For  example,  while  it  took  a  full  day 
to  get  everything  running  with 
LANDesk,  our  first  third-party  vendor, 
adding  InfoExpress’s  gear  to  the  net¬ 
work  once  everything  was  stable  took 
only  a  few  hours  work. 

The  bottom  line  on  our  overall  NAC 
interoperability  experience  is  that  this 
is  a  market  where  there  is  not  only  the 
strong  aroma  but  also  the  Limburger. 
We  have  three  solid  groups  of  vendors 
trying  to  solve  a  common  problem 
and  pushing  forward  as  quickly  as 
commercially  possible.  While  there  is 
considerable  chaos  in  the  market,  it’s  a 
safe  bet  to  say  that  interoperable  solu¬ 
tions  are  going  to  be  available  at  year- 
end  or  the  beginning  of  next  year.  It’s 
too  early  to  draw  any  conclusions 
about  which  strategy  will  work  best  for 
which  types  of  networks,  though,  espe¬ 
cially  with  powerhouse  Cisco  going 
head-to-head  with  TNC  standards- 
based  approach. 

Snyder,  a  Network  World  Test  Alliance 
partner,  is  a  senior  partner  at  Opus  One 
in  Tucson,  Ariz.  He  can  be  reached  at 
Joel.Snyder@opusl  .com. 


VoIP  team  ventures 
into  new  terrain 


BY  DAVID  NEWMAN,  NETWORK  WORLD  LAB  ALLIANCE 


By  now,  basic  interoperability  is  generally 
a  given  in  multivendor  VoIP  settings.  What 
happens,  however,  when  VoIP  devices  go  to 
work  in  decidedly  unfriendly  environ¬ 
ments,  such  as  through  security  devices 
and  across  wireless  LANs? 


Results  of  the  testing  completed  by  the  InteropLabs  VoIP  team  suggest  new  QoS  mech¬ 
anisms  can  work  effectively  but  security  remains  as  tricky  as  ever  to  get  right.  Even  though 
it’s  not  a  security  mechanism,  network  address  translation  (NAT)  also  proved  especially 
troublesome. 

The  team  built  a  complex  test  bed  connecting  the  VoIP  phones  of  five  enterprises  across  a 
vast  armory  of  firewalls,  IPsec  and  SSL  VPN  concentrators,  and  intrusion-detection  systems. 

The  security-gear  suppliers  included  Aventail,  BorderWare,  Check  Point,  Cisco,  Juniper  and 
Nokia.  Some  vendors  shipped  multiple  security  devices:  For  example,  Juniper  supplied  a  fire¬ 
wall,  an  intrusion-prevention  system  (IPS),  two  IPsec  VPN  concentrators  —  and  three  engi¬ 
neers  to  get  everything  working. 

In  addition  to  security  boxes  at  the  edge  of  each  enterprise’s  network,  the  security  appara¬ 
tus  included  IPsec  and  SSL  VPN  clients  for  remote  users.  Corporate  network  managers  plan¬ 
ning  VoIP  rollouts  will  probably  deploy  similar  setups,  configuring  IP  phones  and  security 
devices  and  drop-shipping  them  to  remote  users. 

All  this  equipment  ensured  tight  security  —  in  some  cases,  a  little  too  tight.  For  example, 
BorderWare’s  SIPAssure  offered  detailed  control  over  Session  Initiation  Protocol  (SIP)  but 
didn’t  provide  the  access  controls  needed  in  a  general-purpose  firewall.  Conversely  Interop- 
Labs  engineers  deployed  an  Aventail  firewall  and  VPN  concentrator  at  the  perimeter  of  one 
enterprise  but  found  the  device  did  not  proxy  SIP  traffic  at  all. 

In  both  cases,  the  team  redesigned  the  network  by  placing  these  devices  alongside  other 
firewalls;  in  Aventail’s  case,  its  device  was  repurposed  as  an  SSL  VPN  concentrator;  the 
BorderWare  box  became  a  VoIP  session  border  controller  alongside  another  BorderWare 
firewall. 

The  test  bed  also  comprised  numerous  wireless  LAN  (WLAN)  switches,  access  points  and 
end-stations,  all  using  the  new  802.1  le  standards  for  QoS  enforcement.  Phones  in  this  year’s 
event  were  equally  diverse,  ranging  from  softphones  on  PC  and  Mac  clients  to  old  analog 
handsets  with  SIP  adapters  and  Wi-Fi  and  Ethernet  SIP  handsets. 

Unlike  past  years,  where  the  focus  was  on  interoperability  among  multiple  vendors’  SIP 
proxies,  the  InteropLabs  team  this  year  standardized  on  the  open  source  Asterisk  SIP  proxy 
for  four  of  the  enterprises.  At  the  fifth  were  two  proxies:  an  Asterisk  box  and  the  SpectraLink 
SIP  proxy  which  SpectraLink’s  new  SIP-enabled  handsets  require.  In  general,  however,  the 
focus  wasn’t  on  the  SIP  proxy  used  but  on  the  diversity  of  the  equipment  around  it. 

In  all,  around  20  vendors  contributed  equipment  and  engineering  resources  to  the  effort, 
making  this  among  the  largest  VoIP  test  beds  yet  constructed  by  the  InteropLabs  team. 


To  NAT  or  not  to  NAT 

One  of  the  most  difficult  decisions  in  this  testing  demonstration  was  whether  to  use  NAT. 
Network  architect  and  team  leader  Jim  Martin  —  his  day  job  is  distinguished  architect  at 
Netzwert  —  initially  opposed  its  use  on  the  grounds  that  NAT  breaks  the  end-to-end  princi¬ 
ple  of  Internet  communications  and  might  also  introduce  interoperability  issues.  As  it  turned 
out,  he  was  right  on  both  counts. 

Other  team  members  argued  that  regardless  of  whether  NAT  is  good  or  evil,  it’s  in  wide¬ 
spread  use  today  and  should  be  included  in  at  least  part  of  the  test  bed. The  pro-NAT  argu- 
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inent  prevailed.  Team  engineers  config¬ 
ured  one  of  the  five  enterprises  to  use  pri¬ 
vate  net- 10  addresses  and  enabled  NAT  on 
a  Check  Fbint  firewall  linking  this  enter¬ 
prise  to  the  rest  of  the  test  bed. 

Enabling  NAT  proved  to  be  troublesome 
from  the  start.  Initially,  neither  inbound  nor 
outbound  calls  reached  their  destinations. 
It  took  two  hours  of  capturing  traffic  from 
various  points  and  then  an  hourlong  dis¬ 
cussion  in  front  of  a  whiteboard  to  lay  out 
the  various  issues. 

In  situations  where  one  side  used  NAT 
but  the  other  didn’t,  the  SIP  proxy  received 
traffic  but  didn’t  return  it. That’s  because 
SIP  proxies  get  source  IP  addresses  from 
the  SIP  header  by  default,  not  from  the  IP 
header.  In  this  case,  NAT  translated  the 
source  IP  address  in  the  IP  header,  but  not 
in  the  SIP  header.  Because  the  SIP  proxy 
had  no  route  to  the  source  address  using 
NAT,  there  was  no  way  for  the  proxy  to 
return  traffic  (see  online  diagram,  www.nw 
docfinder.com/3236). 

The  team  set  a  “nat=yes”  parameter  on  the 
Asterisk  SIP  proxy  forcing  it  to  read  address¬ 
es  from  IP  rather  than  SIP  headers.  This 
solved  the  first  problem  of  the  SIP  proxy 
not  being  able  to  send  return  traffic.  It  did 
not  help  with  the  second  problem:  the 
Check  Point  firewall  not  sending  return 
traffic  through  an  IPsec  tunnel  (this  isn’t  a 
knock  on  Check  Point’s  firewall;  virtually 
any  NAT  box  would  do  the  same  thing). 

This  second  problem  proved  more  irn& 
tractable  than  the  first.  Even  though  the  SIP 
proxy  now  processed  traffic  correctly  the 
firewall  at  the  enterprise  site  forwarded 
VoIP  traffic  onto  the  public  network 
instead  of  placing  it  inside  an  IPsec  tunnel 
for  routing  back  to  the  remote-side  caller. 

Engineers  from  Check  Pbint  and  the  In- 
teropLabs  team  worked  to  resolve  the 
problem  but  couldn’t  get  VoIP  working 
with  NAT  during  the  HotStage  event.  Check 
Point’s  engineers  believe  the  problem  is 
caused  by  the  configuration’s  parameters. 
At  press  time.  Check  Point  was  building  a 
duplicate  test  bed  in  its  labs,  intending  to 
correct  the  configuration  in  time  to 
demonstrate  VoIP  and  NAT  working 
together  at  the  show. 

Cutting  the  cord 

The  WLAN  setup  comprised  a  mix  of 
access  points  and  WLAN  switches  from 
such  vendors  as  Aruba  Wireless  Networks, 
Cisco  (in  IOS  and  Linksys  versions), 
Extreme  Networks  and  Symbol.  In  addi¬ 
tion,  Check  Point  and  Juniper  supplied 
remole-office  devices  that  combine  fire¬ 
wall  and  VPN  concentrator  functions  with 
access  points. 


Hanging  off  these  devices  were  soft- 
phones  and  wireless  handsets  from  Cisco, 
CounterPath  Solutions,  SpectraLink,  Unex 
and  UTStarcom. 

A  key  goal  of  the  testing  was  enabling  the 
Wi-Fi  Alliance’s  Wi-Fi  Multimedia  Exten¬ 
sions  (WMM)  to  ensure  better  treatment 
for  voice  traffic.  Based  on  the  IEEE’s 
802.1  le  standard,  WMM  introduces  a  new 
twist  to  QoS  enforcement.  Instead  of  simply 
queuing  VoIP  packets  ahead  of  others  on 
any  given  station,  it  seeks  to  transmit  VoIP 
packets  first  from  any  station,  helping  to 
keep  delay  and  jitter  to  a  minimum. 

Determining  which  devices  supported 
WMM  wasn’t  always  intuitive.  For  example, 
a  consumer-grade  Linksys  access  point 
offered  WMM  support  out  of  the  box,  but 
new  SIP-enabled  handsets  did  not  create 
packets  with  WMM’s  QoS  headers.  The 
SpectraLink  problem  could  be  caused  by 
the  handset  or  SIP  proxy  configuration, and 
at  press  time  team  engineers  were  continu¬ 
ing  to  examine  it. 

Another  problem  in  prioritizing  VoIP  traf¬ 
fic  has  to  do  with  lining  up  multiple  QoS 
mechanisms.  IP-forwarding  devices,  such 


as  routers,  generally  use  Layer  3  criteria 
such  as  DiffServ  code  points  (DSCP)  or  IP 
precedence  flags  to  classify  traffic.  In  con¬ 
trast,  Layer  2  devices,  such  as  wireless 
switches,  use  WMM  access  classes  found  in 
the  802.1 1  header. 

Most  sites  will  generally  use  only  one 
WMM  access  class  for  VoIP  traffic,  but 
there  may  well  be  multiple  DSCPs  in  use. 
As  the  team  learned,  it’s  critical  that 
devices  with  both  IP  and  WLAN  capabili¬ 
ties  (such  as  WLAN  switches)  map  all  the 
relevant  DSCPs  to  the  appropriate  WMM 
access  class. 

Yet  another  issue  for  WLAN  forwarding 
had  to  do  with  virtual  LAN  (VLAN)  tagging. 
Network  designs  often  use  separate  VLANs 
for  VoIP  traffic,  and  the  InteropLabs  VoIP 
network  was  no  exception.  This  generally 
worked  fine, with  two  exceptions:  First, a  rel¬ 
atively  old  Symbol  switch  supported  only 
VLAN  IDs  between  1  and  31  —  too  narrow 
a  range  to  accommodate  the  VLAN  IDs  be¬ 
tween  100  and  300  in  use  on  the  show  net¬ 
work.  To  its  credit,  Symbol  promptly  sup¬ 
plied  its  newer  WS5100  switch,  which  sup¬ 
ports  any  VLAN  ID. 


Second,  the  SpectraLink  SIP  proxy  re¬ 
quired  that  handsets  reside  in  the  same 
VLAN  and  IP  subnet  as  the  proxy.  The 
workaround:  On  each  access  point,  the 
team  allocated  two  VLANs  (each  with  a 
unique  service  set  identifier),  one  for  the 
local  subnet  and  one  for  the  SpectraLink 
proxy’s  subnet.The  enterprise-grade  WLAN 
devices  all  handled  this  workaround,  but 
some  consumer-grade  access  points  (such 
as  a  Linksys  WRT54GX)  don’t  support 
VLANs  at  all. 

Despite  the  various  hurdles  encoun¬ 
tered,  team  engineers  generally  were  able 
to  call  from  any  location  to  any  other 
location  (including  offsite)  by  the  end  of 
the  HotStage  testing  period.  Team  engi¬ 
neers  and  vendors  continue  to  work  to 
resolve  the  few  outstanding  issues,  and 
most  agreed  that  VoIP  is  getting  easier  to 
deploy,  even  in  environments  that  aren’t 
necessarily  VoIP-friendly. 

Newman  is  president  of  Network  Test,  an 
independent  engineering  services  consul¬ 
tancy  in  Westlake  Village,  Calif.  He  can  be 
reached  at  dnewman@networktest.com. 


InteropLabs  lessons  learned:  VoIP  do's  and  don'ts 


BY  DAVID  NEWMAN,  NETWORK  WORLD  LAB  ALLIANCE 


VoIP  is  getting  easier  to  deploy,  but  the  process  still  isn’t  as  straightforward  as  it 
might  be.  Even  the  veteran  engineers  on  the  InteropLabs  team  ran  into  multiple 
gotchas  in  setting  up  Interop’s  demo  network. 

HERE  ARE  A  FEW  DO’S  AND  DON’TS  THE  TEAM  PICKED  UP  ALONG  THE  WAY: 


#  Do  look  for  equipment  that  supports  the  Wi-Fi  Alliance's  Wi-Fi  Multimedia  (WMM)  extensions  for  wireless  LANs,  which  allow 
prioritization  of  voice  traffic.  Every  enterprise  WLAN  checklist  should  include  support  for  the  WMM  extensions,  which  in  turn 
are  based  on  the  new  IEEE  802. lie  standard. 


#  Do  ensure  that  network-  and  link-layer  QoS  mechanisms  are  mapped  correctly.  When  using  QoS  on  WLANs  (WLAN),  two 
sets  of  QoS  markings  are  at  work:  DiffServ  code  points  (DSCP)  at  the  network  layer  and  WMM  access  classes*at  the  link 
layer.  Switches  handling  wired  and  wireless  traffic  should  be  configured  so  the  DSCP  and  WMM  access-class  mappings  line 
up,  ensuring  prioritization  for  voice  traffic. 


•  Don't  use  network  address  translation  (NAT)  for  VoIP  networks  if  at  all  possible.  NAT  can  break  Session  Initiation  Protocol 
(SlP)-based  VoIP  in  a  number  of  ways,  and  troubleshooting  can  be  difficult  and  time-consuming.  Among  the  many  issues  to 
consider  are  whether  the  NAT  device  performs  many-to-one  or  many-to-many  address  translations;  whether  IPsec  is  in  use 
(and  if  so,  how  IPsec  tunneling  interacts  with  NAT);  and  whether  VoIP  proxies  use  application-layer  (SIP)  or  network-layer  (IP) 
criteria  in  making  forwarding  decisions. 


•  Do  consider  configuring  SIP  proxies  as  media  relays  where  NAT  is  in  use.  Normally,  SIP  phones  go  through  a  proxy  only  to  set 
up  a  call,  and  then  communicate  directly  once  the  call  is  established.  Rather  than  setting  up  one  NAT  rule  for  each  phone  in  use 
(potentially  requiring  hundreds  or  thousands  of  rules  on  the  NAT  device),  it  may  be  necessary  to  configure  the  SIP  proxy  as  a 
media  relay  that  handles  the  real-time  protocol  packets  carrying  voice  traffic  as  well  as  the  SIP  packets  used  for  signaling. 


•  Don’t  assume  VoIP  equipment  supports  the  virtual  LAN  (VLAN)  addressing  plan  already  in  use  within  the  network.  The 
InteropLabs  VoIP  network  used  VLAN  IDs  between  100  and  300,  but  not  all  switches  support  VLAN  IDs  in  that  range  (even 
though  VLAN  addresses  theoretically  can  range  as  high  as  4095).  This  was  solved  with  an  equipment  swap  on  the  test  net¬ 
work’s  backbone.  At  remote  sites,  it  may  be  a  different  story:  Some  small  office/home  office  network  devices  (including  many 
consumer-oriented  WLAN  access  points  and  firewalls)  don’t  support  VLAN  tagging  at  all. 
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Getting  To  The  Bottom  Of  Common  Reliability  Problems 


Top  5  reasons  customers  use  Diskeeper 

Performance  and  Reliability _ 
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“Set  It  and  Forget  It”  operation 


83% 


Much  superior  to  built-in  defragmenter 


44% 


Longer  server  life  with  less  maintenance 
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Fast  back-ups  and  antivirus  and/or  spyware  scans 
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As  an  IT  Professional,  you 
know  the  importance  of 
maintaining  system  per¬ 
formance  and  reliability. 
If  the  desktops  or  servers  crash, 
slow  down  or  freeze,  who  gets 
called?  That’s  right... you  or 
your  IT  staff.  This  “break-fix” 
cycle  leaves  you  little  time  to  be 
proactive.  And  yet,  many  of 
these  issues  stem  from  a  single, 
hidden  source. 

Reliability  issues  commonly 
traced  to  disk  fragmentation. 

The  most  common  problems 
caused  by  file  fragmentation 
are: 

•  Crashes  and  system 
hangs/freezes 

•  Slow  boot  times  and  boot 
failures 

•  Slow  back  up  times  and 
aborted  backup 

•  File  corruption  and  data  loss 
•  Errors  in  programs 
•  RAM  use  and  cache  issues 
•  Hard  drive  failures 

Having  files  stored  contigu¬ 
ously  on  the  hard  drive  is  a  key 
factor  in  keeping  a  system 
stable  and  performing  at  peak 
efficiency.  The  moment  a  file  is 
broken  into  pieces  and  scat¬ 
tered  across  a  drive,  it  opens 
the  door  to  a  host  of  reliability 
issues.  Even  a  small  amount  of 
fragmentation  in  your  most 
used  files  can  lead  to  crashes, 
conflicts  and  errors. 

(GET  THE  PROOF  HERE: 
www.diskeeper.com  /paper) 


The  weak  link 
in  today’s  computers 

The  disk  drive  is  by  far  the 
slowest  of  the  three  main  com¬ 
ponents  of  your  computer: 
CPU,  memory  and  disk.  The 
fastest  CPU  in  the  world  won't 
improve  your  system's  per¬ 
formance  if  the  drive  is  frag¬ 
mented,  because  data  from  the 
disk  simply  can't  be  accessed 
quick  enough. 

Is  Daily  Defragmentation 
Needed  in  today’s  environment? 

More  than  ever!  Large  disks, 
multimedia  files,  applications, 
operating  systems,  system 
updates,  virus  signatures  —  all 
dramatically  increase  the  rate 
of  fragmentation.  If  fragmenta¬ 
tion  is  not  addressed  daily, 
system  performance  will  suffer. 
Fragmentation  increases  the 


time  to  access  files  for  all 
common  system  activities  such 
as  opening  and  closing  Word 
documents,  searching  for 
emails,  opening  web  pages  and 
performing  virus  scans.  To  keep 
performance  at  peak,  defrag¬ 
mentation  must  be  done  daily. 


Advanced,  automated 
defragmentation 

Manually  defragmenting 
every  system  every  day  is 
simply  not  possible  in  even 
small  networks  let  alone  enter¬ 
prise  sites.  IT  Managers  use 
Diskeeper’s  “Set  It  and  Forget 
It”®  operation  for  automatic 
network-wide  defragmenta¬ 
tion.  Customers  agree 
Diskeeper  maintains  the  per¬ 
formance  and  reliability  of 
their  desktops  and  servers, 
even  reducing  maintenance 
and  increasing  hardware  life. 

“We  run  [Diskeeper]  on  our 
client  PC’s  as  well  as  our 
servers... with  Diskeeper 
running  daily,  we  can  keep  file 
performance  at  peak  efficiency.” 

Tom  Hill,  CDR  Global,  Inc. 

Every  system  on  your  network 
needs  Diskeeper,  the  Number 
One  Automatic  Defragmenter™ 
with  over  18  million  licenses  sold! 
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The  Number  One  Automatic  Defragmenter 
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Try  Diskeeper  10  FREE  for  45  days! 

Download:  www.diskeeper.com/nwmax 

(Note:  Special  45-day  trialware  is  only  available  at  the  above  link) 

Volume  licensing  and  Government  /  Education  discounts  are 
available  from  your  favorite  reseller  or  call  800-829-6468  code  4352 
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Cisco  hits  on  firewall/VPN, 
misses  on  tight  management 


ADAPTIVE  SECURITY  APPLIANCE 

CISCO  ADAPTIVE  SECURITY 
APPLIANCE  5540 

Cisco  -  . 

NeResults  4.08 


BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 


Base  price  with  1GB  RAM  and  five  fixed 
10/100/1000  interfaces:  $17,000  (extra  four  Gigabit 
Ethernet  ports,  $5,000;  IDS  Module,  $6,000;  Anti- 
X  module,  $4,500). 

Pros:  Strong  firewall  capabilities;  dual  site-to- 
site  and  remote  access  IPSecVPN; 
enterprise-focused  unified  threat 
management  (UTM)  feature  set. 


With  its  first  iteration  of  the  Adaptive  Security  Appliance  a  year  ago  this 


Cons:  Integrated  management  poorly  done;  SSL 
VPN  lacks  maturity. 


week,  Cisco  shipped  its  first  new  stand-alone  enterprise  firewall/VPN  com¬ 
bination  in  nearly  five  years.  Since  then,  Cisco  has  followed  through  on  its 
integrated-appliance  road  map,  providing  an  updated  SSL  VPN  module  and 
adding  optional  anti-virus  and  intrusion-prevention  services  to  the  ASA  line. 


In  our  exclusive  test  of  Ciscos  ASA  7. 1  software  running 
on  a  high-availability  pair  of  ASA  5540  systems,  we  ran 
these  boxes  on  a  live  network  for  more  than  a  month. 
These  models  are  focused  strictly  on  the  enterprise  with 
650Mbps  of  firewall  and  325Mbps  of  VPN  throughput.  We 
mainly  tested  the  ASAs  firewall  and  VPN  capabilities  as 
well  as  the  management  wares  supplied  to  drive  these  fea¬ 
tures  (see“How  we  did  it” at  www.nwdocfinder.com/3025). 
Cisco  did  not  supply  the  anti-virus  module  to  test,  and 
because  Network  World  has  an  intensive  test  of  intrustion- 
prevention  system  (IPS)  products  in  progress,  we  didn’t 
look  in  detail  at  the  Cisco  IPS. 

All  ASA  5500  units  have  a  single  slot  for  a  security  service 
module  (SSM).  Cisco  has  released  three  SSMs:  a  four-port 
Gigabit  Ethernet  card,  a  content-filtering  SSM  (anti- 
virus/anti-spyware)  and  an  IPS  SSM.  Additionally  all  models 
come  with  either  four  Gigabit  Ethernet  and  one 
10/ 100Mbps  Ethernet  port  (in  the  case  of  the  higher-end 
5520  and  5540  models)  or  five  10/100  Ethernet  interfaces 
(as  is  the  case  with  the  entry  level  ASA  5510). 

Overall,  we  found  that  as  a  replacement  for  the  venerable 
P1X  and  3000-series  IPSec  VPN  concentrators,  the  ASA 
boxes  are  lean,  fast  and  bring  a  well-rounded  approach  to 
perimeter  network  security 

We  also  used  Cisco’s  Adaptive  Security  Device  Manager 
(ASDM)  Version  5.1,  a  Web-launched  Java-based  GUI,  to 
configure  and  monitor  the  systems.  ASDM  greatly  simpli¬ 
fies  defining  firewall,  site-to-site  and  remote-access  VPNs, 
bringing  firewall-configuration  tools  for  the  ASA  to  a  level 
now  commonly  expected  in  this  product  space. 
Unfortunately,  Cisco  badly  bungled  its  opportunity  to 
build  a  management  system  that  truly  integrates  the  PIX, 
iPSec  and  SSL  VPN  and  IPS  capabilities.  Overall,  Cisco’s 
GUI  mixes  pieces  from  all  of  the  system  in  some  places, 
segregates  them  in  others  and  offers  an  unnecessarily 
complex  and  difficult-to-use  interface. 

Slart  with  the  firewall 

.■  ■  on  buy  an  ASA,  you  should  do  so  primarily  for  its  fire¬ 
wall  features  as  these  are  the  most  mature  parts  of  the 
produr  Cisco  includes  a  multizone  stateful  packet  inspec¬ 
tion  i.:.  wall  with  23  application  layer  gateways,  ranging 
from  the  normal  and  expected  (such  as  FTP  DNS  and 


HTTP)  to  the  unusual  (such  as  GPRS  Tunneling  Protocol, 
obviously  put  in  for  the  carrier-class  telecom  customer). As 
might  be  expected,  the  ASA  includes  application  layer  gate 
ways  for  newer  VoIP  protocols,  such  as  Session  Initiation 
Protocol  (SIP), Media  Gateway  Control  Protocol, H.323  and 
even  Cisco’s  own  Skinny  Call  Control  Protocol.While  this  is 
not  a  VoIP-specific  firewall,  our  tests  show  that  you  can  run 
SIP  traffic  through  the  firewall  without  problems. 

The  ASA  software  we  tested  isn’t  fully  compatible  with 
Cisco’s  new  Network  Admission  Control  (NAC)  scheme 
(Cisco  says  full  NAC  integration  will  be  available  before  July 
l),but  it  does  provide  for  identity-based  access  controls. For 
example,  you  can  force  outgoing  users  to  authenticate  with 
a  Web  page  against  an  Active  Directory  server,  and  then  use 
information  in  Active  Directory  to  decide  who  can  use  the 
Internet,  and  where  they  can  go.  This  kind  of  user-driven 
access  control  (as  opposed  to  IP-driven  access  control,  the 
only  option  in  most  other  firewalls)  is  a  good  steppingstone 
to  more  comprehensive  network  access  control  schemes, 
such  as  Cisco’s  own  NAC  architecture.  (For  more  on  NAC 
architecture,  see  www.nwdocfinder.com/3023  and  3235.) 

Cisco’s  historic  strength  in  network  address  translation  is 
in  this  version  as  well,  making  the  ASA  an  especially  appro¬ 
priate  system  to  protect  perimeter  networks. 

The  ASA  can  act  as  a  traditional  Layer  3  routing  firewall 
(with  support  for  Open  Shortest  Path  First  dynamic  rout¬ 
ing)  and  can  be  a  bridging  (Layer  2)  transparent  firewall  — 
a  new  feature  for  Cisco  with  the  ASA.  Although  the  ASA 
firewall  code  has  a  few  remaining  rough  edges  —  such  as 
an  SMTP  mail  proxy  that  reduces  security  by  refusing  to 
allow  encrypted  connections  —  most  security  managers 
will  find  its  capabilities  are  more  than  enough  for  a  typical 
perimeter  deployment. 

Where  the  ASDM  and  ASA  combination  really  shines  is  in 
the  new  monitoring  and  reporting  capabilities  joined  with 
longer-term  event  storage  provided  by  the  ASA  software. 
These  devices  can  be  configured  to  save  five  days  of  statis¬ 
tics,  including  1 1  interface-specific  statistics  (such  as  band¬ 
width  and  dropped  packets),  which  it  then  can  easily  graph 
for  a  short-term  peek  at  loads  and  behaviors.  On  the  moni¬ 
toring  side,  you  can  point  to  a  “deny”  log  entry  and  with  a 
single  click,  create  a  rule  to  allow  that  traffic  instead.  As 
these  inexpensive  firewalls  get  deployed  deeper  within  the 


The  Breakdown 


Firewall  function  35% 

4.5  Scoring  Key: 

Hardware  performance  and  flexibility  25% 

4  q  5:  Exceptional. 

Additional  UTM  and  VPN  features  15% 

3:  Average. 

Scalability  and  suitability  for  enterprise 
deployment  15% 

4.0  2:  Below  average. 
1:  Subpar  or  not 

Management  integration  and  manageability 

10% 

3.0  available. 

Total  score 

4.08 

network,  the  ability  to  jump  between  analysis  and  policy 
creation  will  be  a  big  time  saver  and  can  reduce  errors. 

In  integrating  its  PIX  firewall  and  VPN  3000  Series 
Concentrators,  Cisco  has  two  very  different  IPSec  styles  to 
merge.  While  the  3000-series  concentrator  had  a  great  deal 
of  flexibility  the  complexity  of  the  management  interface 
has  been  known  to  keep  some  customers  from  using  most 
of  the  product’s  capabilities.  By  jettisoning  the  complexity 
and  building  well-designed  wizards  to  support  both  site-to- 
site  and  remote  access  VPN  tunnels  into  ASDM,  the  ASA 
finally  makes  it  easy  to  deploy  basic  VPN  functionality  for 
two  different  functions  all  in  the  same  piece  of  hardware  — 
something  the  other  hardware  VPN  vendors  have  been 
unable  to  do. 

We  were  able  to  configure,  enable  and  test  basic  remote 
access  VPN  features  on  the  ASA  in  less  than  five  minutes. 
This  proves  Cisco  has  not  only  kept  track  of  the  ease-of-use 
features  of  the  original  3000-series,  but  has  extended  them 
to  its  new  hardware  and  management  platform. 

While  the  ASA  we  evaluated  is  targeted  more  at  enter¬ 
prise  deployments,  this  combination  of  firewall,  site-tosite 
and  remote  access  VPN  will  be  especially  useful  to  the 
small-to-midsize  business  network  where  a  single  device  is 
expected  to  do  triple  duty 

It’s  been  said,  though,  that  on  every  fine  cheese,  some 
mold  will  grow. While  the  ASA  has  developed  into  an  enter- 
prise-class  firewall  and  IPSec  VPN  device,  it  was  profoundly 
disappointing  to  see  that  Cisco  didn’t  take  the  opportunity 
of  a  new  platform  and  a  new  version  of  the  operating  sys¬ 
tem  to  also  revise  its  management  tools.  While  some  com¬ 
ponents,  such  as  monitoring  and  VPN  setup,  are  well  done, 
there  is  no  sense  of  holistic  management  brought  to  the 
table  with  the  ASDM.  It  seems  clear  that  the  ASA  hardware 
and  its  configuration  GUI  are  not  considered  as  a  single, 
coherent  whole,  because  the  careful  engineering  that  went 
into  building  the  ASA  is  not  evident  in  the  ASDM  GUI. 

The  ASA  still  has  a  command-line  interface,  and  for  some 

See  Cisco,  page  51 
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continued  from  page  50 

of  Ciscos  service  provider  and 
many  site  enterprise  customers, 
this  will  be  the  best  way  to  con¬ 
trol  and  monitor  their  firewalls. 
However,  for  the  rest  of  us,  Cisco 
has  given  us  ASDM,  the  most 
opaque  and  poorly  designed 
configuration  user  interfaces  of 
any  enterprise  firewall  on  the 
market  today.  While  a  weak  man¬ 
agement  interface  was  under¬ 
standable  in  the  first  years  of 
Cisco’s  entry  into  the  security 
market,  it’s  inexcusable  that  a 
company  this  large,  with  this 
many  customers  and  with  this 
kind  of  resources,  cannot  devel¬ 
op  a  better  user  interface  to  con¬ 
figure  its  products. 

It’s  not  all  bad.  If  you  only  use 
the  ASA  as  a  firewall,  you  will 
likely  be  satisfied  with  the 
ASDM  user  interface.  The 
straightforward  model  of  rules 
and  objects  used  in  the  firewall 
part  of  the  configuration  inter¬ 
face  is  simple  enough  to  use. 
Even  more  advanced  features, 
such  as  configuration  of  ad¬ 
vanced  rules  for  application 
layer  gateways  such  as  HTTP 
traffic  inspection,  are  easy 
enough  for  any  security  manag¬ 
er  to  understand. 


Lab  Alliance 


■  Snyder  is  also  a  member  of  the 
Network  World  Lab  Alliance,  a 
cooperative  of  the  premier  testers 
in  the  network  industry,  each 
bringing  to  bear  years  of  practical 
experience  on  every  test.  For  more 
Lab  Alliance  information,  including 
what  it  takes  to  become  a  partner, 
go  to  www.networkworld.com/ 
alliance. 

Other  members:  Mandy  Andress, 
ArcSec;  John  Bass,  Centennial 
Networking:  Travis  Berkley, 
University  of  Kansas;  Jeffrey  Fritz, 
University  of  California,  San 
Francisco;  James  Gaskin,  Gaskin 
Computing  Services;  Thomas 
Henderson,  ExtremeLabs; 

Miercom,  network  consultancy  and 
product  test  center;  Christine 
Perey,  Perey  Research  &  Con¬ 
sulting;  Barry  Nance,  independent 
consultant;  David  Newman, 

Network  Test;  Thomas  Powell, 

PINT.  Rodney  Thayer,  Canola  & 
Jones;  Sam  Stover,  independent 
consultant. 


However,  Cisco  has  gone  out  of 
its  way  to  craft  the  configuration 
GUI  to  match  the  underlying 
command-line  interface,  which 
means  that  network  managers 
will  enter  the  same  information 
twice  —  because  you  can’t,  for 
example,  allow  traffic  into  a  Web 
server  and  manage  the  HTTP 
inspection  on  that  traffic  on  the 


same  screen. 

Where  the  ASDM  configuration 
GUI  really  falls  apart  is  in  all  of  the 
peripheral  services  that  Cisco  has 
built  into  the  ASA, such  as  the  SSL 
VPN  and  the  IPS  (see  full  evalua¬ 
tion  of  SSL  VPN  at  www.nw 
docfinder.com/3022).  For  exam¬ 
ple,  in  the  SSL  VPN,  managing 
access  controls  is  done  with  num¬ 


bered,  not  named,  access  control 
lists  (ACL), which  cannot  be  com¬ 
bined.  This  means  that  the  net¬ 
work  manager  has  to  remember 
that  ACL  129  is  used  for  network 
access  for  IT  staff,  while  128  is 
used  for  the  extranet,  and  103  is 
the  list  of  URLs  that  employees 
have  access  to. 

Cisco,  while  providing  a  strong 


firewall  and  VPN  combination, 
missed  its  chance  to  be  a  leader 
in  simplifying  network  and  sys¬ 
tem  management  with  the  ASA 
series. 

Snyder  is  a  senior  partner  at 
Opus  One,  a  consulting  firm,  in 
Tucson,  Ariz.  He  can  be  reached 
at  Joel.  Snyder@opus  1 .  com. 


The  original  Wi-Jack™  set  the  standard  as  the  stylish, 
high-performance  wireless  access  point  that  blends 
smoothly  into  any  office  decor.  The  new  Wi-Jack 
raises  the  bar  by  disappearing  into  the  decor. 

While  it's  hard  to  find,  it  easily  integrates  into  the 
structured  cabling  system.  The  new  Wi-Jack  will  be 
unveiled  at  Interop  Las  Vegas.  In  the  meantime,  visit 
www.ortronics.com/newwi-jack  for  more  information 
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MANAGEMENT  STRATEGIES 

I  CAREER  DEVELOPMENT  B  PROJECT  MANAGEMENT  ■  BUSINESS  JUSTIFICATION 

WAN  optimizers  stretch  budgets 

Bandwidth  acceleration  devices  provide  an  easily  implemented  money-saving  measure. 

BY  TIM  GREENE 


One  of  the  surest  ways  for  companies  with  expensive 
data  links  to  save  money  is  to  install  WAN  acceler¬ 
ation  devices.  Users  report  the  gear  pays  for  itself  in 


as  little  as  a  few  months. 

The  primary  way  these  devices  save 
money  is  by  making  fixed-size  links  appear 
larger.  This  puts  off  the  need  to  buy  more 
bandwidth,  which  is  a  money-saver,  particu¬ 
larly  when  the  bandwidth  is  expensive,  as  is 
the  case  with  international  direct  circuits. 

WAN  optimizers  sit  at  both  ends  of  con¬ 
nections  and  tune  traffic  so  more  of  it 
crosses  the  wire  more  efficiently  The  results 
are  increased  throughput  and  faster  appli¬ 
cation  response  time  and  database  access. 
A  long  list  of  vendors  including  Blue  Coat, 
Expand  Networks,  F5  Networks,  Juniper 
Networks,  NetScaler,  Orbital  Data,  Packeteer, 
Riverbed  and  Silver  Peak  make  such  appli¬ 
ances,  which  tap  a  range  of  technologies  to 
achieve  results  (see  graphic). 

These  devices  can  have  a  quick  ROI,  for 
domestic  links  as  well  as  international 
ones.  For  example,  the  payback  for  Lititz, 


Many  ways  to  be  faster 

WAN  acceleration  devices  use  a 
variety  of  technologies,  with  each 
vend'  •  picking  its  own  to  make  the 
connections  perform  better. 

Compression:  Reduces  the  volume  of  bits  needed 
to  represent  files  before  they  reach  the  WAN. 

Pattern  reduction:  Reduces  the  volume  of  bits 
by  recognizing  patterns  in  bit  streams  that  are 
independent  of  file  structures  and  sending  an 
abbreviated  version. _ 

Application  optimization:  Anticipates  responses 
that  applications  need  and  provides  them  locally, 
reducing  WAN  traffic, 

TCP  optimization:  Running  customized  TCP  that 
responds  more  moderately  to  congestion  reduces 
slowdowns  when  congestion  does  occur. 

Caching:  Stores  local  copies  of  frequently 
accessed  files  so  they  don't  have  to  cross  the 
WAN  and  syncs  just  the  changes  with  the 
originals. 


Pa.,  financial  services  firm  Susquehanna 
Bancshares  was  less  than  a  year  when  it 
placed  Expand’s  WAN  accelerators  on  a 
DS-3  connection  between  its  Pennsylvania 
data  centers  120  miles  apart,  says  Rod 
Lefever,  the  firm’s  senior  vice  president 
and  CTO. 

The  company  used  to  outsource  a  disas¬ 


ter-recovery  site  where  tapes  would  be 
shipped,  replicated  and  brought  online  if 
the  primary  data  center  failed,  but  it  was  a 
lengthy  process  to  bring  up  the  site.  “The 
best  case  was  36  hours,"  Lefever  says. 

The  company  replicates  several  giga¬ 
bytes  of  data  per  day,  much  of  it  the 
images  of  checks  the  company  processes. 
That  time  was  getting  longer  as  the  data 
center  handled  more  traffic,  so  the  com¬ 
pany  decided  to  set  up  a  second  company- 
owned  data  center  to  continuously  repli¬ 
cate  the  first. 

With  the  then-existing  bundle  of  five  T-l 
circuits  bonded  into  a  logical  7.5Mbps  link, 
the  backup  could  be  online  in  half  an  hour. 
Much  of  that  delay  was  caused  by  some 
switchovers  the  firm  decided  to  keep  man¬ 
ual  as  a  security  precaution,  Lefever  says. 
The  problem,  though,  was  that  total  traffic 
over  the  link  had  increased  to  an  average 
6M  to  7Mbps,  with  peak  traffic  spiking  to 
nearly  45Mbps.  “We  used  the  vast  majority 
of  our  available  bandwidth  for  average  traf¬ 
fic,”  he  says. 

So  the  company  tested  devices  from  Ex¬ 
pand  and  Peribit  (now  part  of  Juniper). 
Susquehanna  found  for  its  particular  mix  of 
traffic,  the  Peribit  gear  didn’t  improve  per¬ 
formance  on  the  link,  Lefever  says.  But  the 
company  says  the  Expand  product  im¬ 
proved  traffic  throughput  enough  so  even 


spikes  in  traffic  could  be  handled  on  the 
7.5Mbps  logical  link 

The  setup  was  tight,  however,  and  allowed 
no  room  for  growth.  Lefever  says  over  time, 
traffic  spikes  increased  to  highs  of  80M  to 
150Mbps,  depending  on  the  day 

“The  peaks  are  very  short,  but  they  would 
cause  congestion  and  a  backlog  of  traffic,” 
he  says.Those  peaks  required  an  OC-3  con¬ 
nection, so  the  company  bought  a  DS-3.The 
company  had  thought  about  putting  in 
moreT-ls  rather  than  jumping  to  a  DS-3,  but 
it  turned  out  the  DS-3  was  less  expensive 
than  multiple  extra  T-ls,  he  says. 

Once  the  DS-3  was  installed,  the  average 
traffic  volume  before  compression  was 


about  8Mbps.  After  compression  it  was  4M 
to  5Mbps,  and  traffic  peaked  at  30Mbps.  Sus¬ 
quehanna  could  have  gotten  by  with  the 
DS-3  and  no  WAN  optimization,  but  Lefever 
says  he  knew  more  application  traffic  was 
inevitable,  so  in  mid-2005  he  purchased 
and  installed  the  Expand  devices  to  give 
room  for  growth. 

“Now  we  are  looking  at  four  or  five  other 
major  data  sources  looking  to  replicate  be¬ 
tween  the  data  centers,”  Lefever  says.“With- 
out  the  Expand  [devices]  we  would  be 
looking  at  putting  in  an  additional  DS-3  cir¬ 
cuit  or  more.” 

At  $5,500  per  month,  that  is  a  pricey 
prospect  and  makes  the  Expand  optimizers 
attractive.  “With  them  we  can  get  twice, 
probably  three  times  the  utility  out  of  the 
DS-3,  and  the  ROI  on  that  is  just  under  one 
year,”  he  says. 

He  says  the  company  is  considering 
another  pair  of  Expand  boxes  to  connect 
two  other  sites  closer  than  the  data  centers 
are, so  the  links  are  less  expensive.“It  would 
be  closer  to  two  to  three  years’  ROI  on  the 
one  being  considered,”  he  says. 

The  DS-3  failed  once,  but  with  the  Expand 
boxes  in  place,  daytime  network  traffic  was 
maintained  using  just  the  five  T-l  circuits 
that  have  remained  in  place  for  other  uses, 
as  well  as  backup  when  the  DS-3  fails.That 
allowed  business  to  go  on  unimpaired  and 


even  some  replication  traffic  squeezed  in, 
he  says.  “If  the  failure  had  been  at  night 
[when  most  of  the  replication  is  done]  we 
would  have  fallen  behind,  but  not  so  much 
that  we  couldn't  catch  up,”  he  says. 

International  appeal 

Another  user  of  WAN  acceleration  gear, 
Internet  gaming  company  Electronic  Arts 
in  Redwood  City  Calif.,  found  the  ROI  so 
compelling  it  started  a  massive  program  to 
install  them  on  all  the  company’s  interna¬ 
tional  connections,  says  Ruben  Cortez,  the 
company’s  chief  network  architect. 

The  company  wanted  to  consolidate  its 
servers  at  fewer  sites  to  reduce  capital  and 
administrative  costs  and  decided  it  needed 
better-performing  WAN  connections  so 
server  access  didn’t  become  so  slow  it  got 
in  the  way  of  doing  business,  he  says. 

Used  initially  on  a  connection  between 
Brisbane  and  Sydney,  Australia,  the  River¬ 
bed  WAN  optimizers  cost  the  company 
$147,000.  New  file  servers  for  the  consoli¬ 
dation  project  and  maintenance  for  a  year 
cost  $44,000,  he  says.  The  performance 
increase  the  Riverbed  gear  brought  about 
let  the  company  put  off  buying  more 
bandwidth  for  a  year  —  a  savings  of 
$78,528,  he  says,  and  the  company  esti¬ 
mates  a  productivity  increase  of  $216,000 
in  the  first  year. 

That  gave  the  project  an  ROI  of  8.3 
months,  Cortez  says,  adding  that  some  of 
the  ROI  is  real  but  hard  to  quantify.“lf  I  had 
to  do  it  again,  I'd  put  more  emphasis  on  the 
opportunity  cost  of  people  having  to  wait 
for  a  file  to  get  across.  We  have  situations 
where  now  it’s  not  five  minutes  for  the  next 
window,  it’s  10  to  15  seconds,”  he  says.B 
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Network  optimization 

Networks  are  critical  to  business  —  and  if  the 
network  is  slow,  so  is  business.  Get  the  latest  news 
on  network  optimization  services  and  equipment 
delivered  to  your  in-box  when  you  subscribe  to  our 
free  newsletter. 

www.nwdocrmder.com/3227 


"We  can  get  twice,  probably  three  times  the  utility  out  of  the 
DS-3,  and  the  ROI  on  that  is  just  under  one  year.” 

Rod  Lefever,  senior  vice  president  and  CTO,  Susquehanna  Bancshares 
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IP/MPLSView 


Introducing  the  fastest,  most  powerful 
.*•  network  design  and  routing  engine 
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SSMI  qf  CM-ofl-imcfl  hcmss  to  Consoles  at  Remote  Locations 


Get  in  the  driver's  seat. 

www.wandl.com 

info@wandl.com  j  732-868-0100 


Secure  Shell  (SSHv2)  Encryption 
Simultaneous  SSH  or  Telnet 
TACACS  &  RADIUS  Authentication 
Dial-Back  Security  on  Modem  Port 
Command  Logging  with  Audit  Trail 
SYSLOG  Reporting 
NTP  Server  Ready 
Any-to-Any  Port  Switching 
Non-Connect  Port  Suffering 
Port-Specific  Password  Protection 
Data  Rate  Conversion 
Rack  Mountable  -  Requires  1  Rack  Unit 
115/230  VAC  or  -48  VDC  Models 


I  P/MPLS  View™  from  WANDL  is  an  integrated 
network  planning  and  management  solution 
for  the  IP  network.  Key  features  include: 


Planning 

•  Multi-Layer,  Multi-Protocol  Modeling 

•  Intelligent,  Low  Cost  Design 

•  Strategic  Planning  &  Forecasting 

•  Resiliency  Tests  &"What-if"  Simulation 

•  Network  Topology  Views 


Management 

•  Network  Autodiscovery 

•  Automated  Data  &  Traffic  Collection 

•  Near  Real-Time  Monitoring 

•  Troubleshooting  &  Diagnostics 


For  the  past  20  years,  WANDL  has  helped  firms 
worldwide  achieve  and  surpass  their  goals  for 
network  operational  efficiency  and  cost  savings. 
Now  let  us  help  you. 


Visit  Website  for  Complete  NetReach™  Product  Line 

(800)  854-7226  •  www.wti.com 
5  Sterling  •  Irvine  •  California  92618-2517 
(949)586-9950  •  Fax:(949)593-9514 
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Yes,  We  are  Customer  Friendly! 

✓  Two  Year  Warranty 

✓  We  Stock  for  Same  Day  Shipment 

✓  30  Day  Return  Policy 

✓  Call  or  Email  for  an  Online  Demo 


The  SCM-16  Secure  Console  Management  Switch  provides  in-band  and 
out-of-band  access  to  RS232  console  ports  on  UNIX  servers,  routers  and  any  other 
network  elements  which  have  a  serial  console  or  craft  port.  System  administrators 
can  access  serial  maintenance  ports  over  the  network  via  SSH  connections  and  simple, 
menu-driven  commands  or  through  a  discrete  TCP  port  connection,  mapped  directly  to 
one  of  the  SCM-16  serial  outputs. 


maybe  it’s  time 
you  look  at 

AdaptiveKVM 


When  servers  are  down  or  inaccessible,  you  need 
fast  and  reliable  out-of-band  access  and  control. 

Cyclades  AdaptiveKVM™  (patent  pending)  is  the  industry's  first 
integrated  solution  that  combines  KVM  over  IP  and  Microsoft® 
Remote  Desktop  Protocol  (RDP)  technology  in  a  single 
appliance.  By  using  KVM  over  IP  combined  with  RDP, 
AdaptiveKVM  provides  continuous  access  for  remote  server 
management. 


Next-Generation  KVM  Solution 


AlterPath™  KVM/netPlus 
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Download  a  FREE  White  Paper  on  AdaptiveKVM 

www.cyclades.com/akvm 


www.cyclades.com/nw 
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CDU  Product  Family:  Metered,  Smart  &  Switched 
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©Server  .Technology,  Inc.  Sentry  is  a  trademark  of  Server  Technology,  Inc. 


Server  Technology 

Solutions  for  the  Data  Center  Equipment  Cabinet 

The  Sentry  CDU  distributes  power  for  Blade 
servers  or  up  to  42  dual-power  1U  servers 
in  one  enclosure.  Single  or  3-phase  input 
with  110VAC,  208 VAC  or  mixed  110/208VAC 
single-phase  outlet  receptacles. 

Metered  CDU 

>  Local  input  Current  Monitoring 

Smart  CDU 

>  Local  Input  Current  Monitoring 

>  Supports  External  Temperature  and 
Humidity  Probes 

>  IP  Monitoring  of  Power  Temperatures 
and  Humidity 

Switched  CDU 

>  Local  input  current  Monitoring 

>  Supports  External  Temperature  and 
Humidity  Probes 

>  IP  Monitoring  of  Power,  Temperatures 
and  Humidity 

>  Remote  Power  Control  of  Each  Outlet 
—  On /Off /Reboot 

Server  Technology,  Inc.  toll  free  +1.800.835.1 51 5 
1040  Sandhill  Drive  tel  +1.775.284.2000 

Reno,  NV  89521  fax  +1.775.284.2065 

•USA  www.servertech.com 

sales@servertech.com 
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TAP  Into  Your  Network 


Only  a  TAP  can  provide  a  complete  copy  of  data  from  full-duplex  links  at  line  rate  for 
monitoring  devices.  Without  a  TAP,  a  monitoring  device  may  be  fed  incomplete  and 
misleading  information-creating  false  positives  and  overlooking  network  problems 
that  actually  do  exist.  Visit  www.networkTAPs.com/visibility  today. 


Copper nTAPs 

10/100 . $395 

10/100/1000 . ,59#.....$795 


Copper  to  Optical 
Conversion  /iTAPs 

SX  or  LX . $1,495 


Optical  nTAPs 

One-Channel . 53#  ....$295 

Two-Channel . 57#  ....$575 

Three-Channel  ,...$VH$5....$845 
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To  learn  more  about  how  nTAPs  can  boost  your  network  visibility,  which  configuration  option 
is  oest  for  >ou,  and  to  check  out  new  pricing  go  to  www.networkTAPs.com/visibility 
or  call  866-GET-nTAP  today.  Free  overnight  delivery* 
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’■  overnight  delivery  on  all  U.S.  orders  over  $295  confirmed  before  12  p.m.  Central  Time. 
r»IA?  and  all  associated  logos  are  trademarks  or  registered  trademarks  of  Network  Instruments,  LLC. 
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COMMUNICATIONS 

We  Buy  and  Sell 

New  and  Refurbished 

Fully  Guaranteed 
Overnight  Delivery 


PRODUCTS 


Including  IGX, 
BPX&MGX 


Routers 
Switches 
Interface  modules 
Access  Servers 
Muxes 
DSU/CSU’s 


Nortel  (Bay)  Networks 
Lucent (Ascend) 

Juniper  ■  Extreme  •  Foundry 
Adtran  ■  Larscom  ■  ADC  &  others 

www.mlcp.com 
sales@mlcp.com 


800-T0-MULTI  800-866  8584 


::  UltraMatrix™  Remote 

control  up  to  1,000  computers  and 
network  devices  over  IP 

State  of  the  art  security 
High  resolution 
On-screen  menu 
USB  /  PS2 
Serial  Access 


DIGITAL  KVM  OVER  IP 
SIMPLY  THE  BEST  ... 

Access  your  computers,  servers,  and  serial 
devices  locally  or  across  your  network  around 
the  world. 

RELAX.  YOU'RE  IN  CONTROL  NOW. 

1 .  State  of  the  Art  Security 

2.  Industry  Best  Video  Resolution 

3.  Responsive,  Real  Time  Mouse  Control 

4.  24/7  Mission  Critical  Reliability 

5.  Dependable,  Powerful,  Secure,  Guaranteed 
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::  UltraLink™ 

control  up  to  1,000  servers  and  serial 
devices  over  IP 

State  of  the  art  security 
High  resolution 
On-screen  menu 
USB  /  PS2 
Serial  Access 

Single,  Dual,  Quad  models 
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VIEW  FOUR  COMPUTERS 

ON  A  SINGLE  MONITOR  SIMULTANEOUSLY 


VGA  &  DVI 


USB  &  PS2 


HIGH  QUALITY  VIDEO 


PiP  MODE 


HDTV 
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See  us  at  Interop,  Las  Vegas-  Nevada,  BOOTH  #1875 
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control  up  to  1,000  computers  and 
network  devices 
Security  system 
High  resolution 
On-screen  menu 
Multi-platform  /  Serial  Access 
2x,  4x,  8x,  16x 


Extends  keyboard,  video,  and 
mouse  signals  up  to  33,000  feet 
Fiber  /  CATx 
DVI  /  VGA 
PS2  /  USB 
High  resolutions 
PC,  Sun,  Audio,  Serial 


Rack  Drawer  KVM,  1U  or  2U 
15"  17",  or  20"  VGA 
PS/2  or  USB 
Touchpad  or  Trackball 
Optional  Touchscreen 
W/  KVM  Switch 


ROSE  US 
ROSE  EUROPE 
ROSE  ASIA 
ROSE  AUSTRALIA 


281  933  7673 
+44  (0)  1264  85057 
+65  6324  2322 
+617  3388  1540 


www.rose.com 

281  933  7673  800  333  9343 

ROSE  ELECTRONICS  10707  STANCLIFF  HOUSTON,  TEXAS  77099 


Panel  Mount  LCD 
15",  17",  19",  or  20" 

VGA  /  (DVI  /  S-Video  19"  only) 
Optional  Touchscreen 
W/  Extenders 
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Don't  let  network  power 
issues  give  you  a  headache 

Manage  prsiistem's  power  from 
anywhere,  anytime  nil 

smart 


•  Rebftt  from  anywhere,  anytime  via  web  or 
TCP/IP 


Remote  power  distribution  and  circuit  protection 
for  AC  or -48  VDC  or +24  VDC  systems 


headache  remedy,  visit 

wwwspeqxmer.  com/smart 
or  call 888-267-1195 


•  Auto  reset  circuit  breaker  feature  addresses 
no  fault  breaker  trips  for  DC  systems 

features  auto  power  on  sequence  in  the 
event  of  power  outages.  This  prevents  potential 
damage  as  a  result  of  inrush  currents  when 
power  is  suddenly  restored. 
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SPECTRUM  CONTROL  INC. 
Power  Management  Systems  Group 
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Nothing  gives  you  B>igger  headache  than  infrastructure 
hardware  and  software  problems  at  the  wrong  time 
Often  these  issues  cost  you  valuable  system  downtime 
require  a  site  visit  to  reboot  hardware.  Let 
SMARTstart  remote  power  distribution  systems  show 
you  the  efficient  way  to  manage  your  system's  power. 

*  Trusted  by  major  OEM's 


Production  Tracking  Over  Ethernet 
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Eliminate  your  shop-floor 
PCs  with ... 

Ethernet  Terminals  from 
ComputerWise  connected  to 
your  in-house  LAN. 

Capture  production  data 
directly  into  files  on  your 
server. 


Features  8  Benefits 

•  Interactive  Telnet  Client 

•  TCP/IP  over  10/IOOBaseT  Ethernet 

•  Built-in  Barcode  Badge  Reader 

•  Optional  Mag-Stripe  &  RFID  Badge  Reader 

•  Auxiliary  RS-232  Serial  port 

•  Customizable  Data  Collection 
Program  Included 

•  Larger  keyboard  and 
display  sizes  available 


(JOMPl  TEHWISE. 

Call  1-800-25S-3739  or  visit  www.computerwise.coni 


SENSAPHONE 

IIV15 


S-4DOD 


Monitor  the  REST  of  your  Computer  Room! 


Water  on  the  Floor 

Temperature 

Power  Problems 

Security 

Smoke  and  Fire 

Humidity 

Video 

And  much  more 


Dealers  Wanted 


internal  Voice, 
Power  Ethernet  Modem 
Control  Port  &  Pager  Port 
Interface 


Sensor  Inputs 

(Temperalurr.  Humidity, 
Wattr.  Morion,  Power, 
Smoke/flrt) 

Expandable 


Tel:  877-373-2700 
www.ims-4000.com 


SENSAPHONE 
9  Tryens  Road 
Aston,  PA  19014 


Problems  overwhelming  your  current  sniffer? 


Advance  to  the  next  level  with  Observer  1 1 .  Now  with  enterprise  strength  VoIP  analysis.  New  features  include  an  enhanced 
VoIP  Expert,  Quality  Scoring,  Call  Detail  Records,  MultiHop  Analysis,  and  64-bit  Windows  support.  It's  time  to  reset  your  analyzer. 


NETWORK 

INSTRUMENTS 


Wired  to  wireless .  LAN  to  WAN .  One  network  -  complete  control. 


US  &  Canada  UK  &  Europe 

toll  free  800.526.5958  +44  (0)  1 959  569880 

www.networkinstruments.com/analyze 


enhanced  VoIP  support 

~ 


OBSERVER 


Yellowjacket8 
Hive  screen 


yeuowMctcer 

802.1  Ibg  W-LAN  ANALYZER 

►  2.4  GHz  (802.11b  &  g)  SPECTRUM  ANALYSIS 

►  Locate  hackers  and  rogue  AP’s 

►  Pinpoint  specific  interference  sources 
V  Install  &  secure  Wi-FI  networks 


Berkeley  Varitronics  Systems  Metuchen,  NJ  08840 

(732)548-3737  www.bvsystems.com 


Shown  with 
K  optional 
"  Direction 
Finder 


Velloujjocket®  Hive 
Software 

Site  Initiator/Supervisor/ 
Investigator  indoor/outdoor 
mapping  W-LAN  coverage 
solution 


For  the  latest  and  most 
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Important  dates  in  GALEA’s  evolution 

1994:  Congress  enacts  the  Communications  Assistance  for  Law  Enforcement  Act 
(CALEA),  which  mandates  that  service  providers  redesign  their  networks  to  enable 
wiretapping  by  law  enforcement  agencies. _ 

1998:  LI.S.  Attorney  General  Janet  Reno  threatens  service  providers  and  vendors 
with  court  action  if  they  don't  build  surveillance  features  into  their  networks  and 
products  by  October  1998. _ 

The  House  of  Representatives  pass  legislation  extending  the  CALEA  compliance  date 
to  Oct.  1, 2000. _ _ 

1999:  Network  managers  and  IETF  officials  speak  out  against  instrumenting 
protocols  to  enable  wiretapping  of  Internet  communications, _ 

2000:  A  U.S,  federal  appeals  court  rules  the  FCC  exceeded  its  authority  by  requiring 
carriers  to  make  available  to  law  enforcement  agencies  signaling  information  from 
custom-calling  features,  such  as  call  forwarding  and  call  waiting, _ 

2001:  The  FBI  requests  carriers  make  network  changes  to  allow  law  enforcement 
agencies  to  tap  packet-based  phone  calls,  including  laying  multiple  taps  on  a  single 
line,  providing  real-time  monitoring  of  network  traffic,  allowing  undetectable  wiretaps 
and  having  better  wiretap  reliability. _ ______________ 

2003:  The  Department  of  Justice  and  the  FBI  ask  regulators  for  expanded  technical 
capabilities  to  intercept  VoIP  communications. _ 

2004:  Congressmen  John  Sununu  (R.-N.H.)  and  Chip  Pickering  (R.-Miss.)  offer 
separate  bills  on  VoIP  regulation,  one  exempting  VoIP  from  wiretapping,  the  other  not. 

Several  groups,  including  the  Justice  Department,  oppose  the  Sununu  bill,  arguing 
that  Vo  I P  could  become  a  way  for  criminals  to  circumvent  wiretaps. _ 

The  FCC  examines  policies  needed  to  ensure  that  VoIP  providers  and  managed 
broadband  communications  services  comply  with  CALEA. _ 

2005:  A  group  of  privacy  advocates  and  technology  companies,  including  the  Center 
for  Democracy  and  Technology  and  the  Electronic  Frontier  Foundation,  file  court 
papers  to  challenge  an  FCC  ruling  requiring  VoIP  providers  to  allow  wiretapping  by 
law  enforcement  agencies, 
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based  Internet  access  providers, 
CALEA  by  default  includes  col¬ 
leges  and  universities, Wigen  says. 
Broadband  Internet  access  and 
VoIP  providers  have  to  be  CALEA- 
compliant  by  May  14,  2007,  the 
FCC  says. 

“Under  the  old  CALEA  . . .  univer¬ 
sities  were  exempt  because  they 
were  considered  a  private  net¬ 
work,”  she  says.  “But  when  law 
enforcement  wanted  CALEA  ex¬ 
tended  to  Internet  service  pro¬ 
viders,  they  did  not  distinguish  be¬ 
tween  private  and  public  —  they 
said  anyone  who  supplies  a  con¬ 
nection  to  the  public  Internet  will 
have  to  be  CALEA-compliant. 


Well, on  university  campuses  that’s 
one  of  our  main  functions.” 

A  spokesman  at  the  FCC  said  the 
commission  has  reached  no  con¬ 
clusion  on  the  issue  of  university 
compliance.  Some  college  net¬ 
work  officials,  however,  see  the 
binary  digits  on  the  wall. 

“It  seems  to  me  at  some  point  it 
will  have  to  apply  to  us  because 
we  look  somewhat  like  an  ISP  to 
the  university  says  Brian  Jones, 
manager  of  network  engineering 
at  Virginia  Pblytechnic  Institute 
and  State  University’s  Tech’s  Com¬ 
munications  Network  Services 
unit  in  Blacksburg.  “I  don’t  know 
how  it  could  not  apply  to  us  at 
some  point.” 
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That  prompts  officials  to  want  to 
dissect  the  law  thoroughly  to 
assess  its  full  impact. 

“The  position  that  it  would  be  an 
onerous  financial  burden  ...  we 
are  cost-conscious,  academic  free 
dom  is  a  cornerstone  of  the  higher 
[education]  ethos,  and  we  are  pro¬ 
foundly  network-dependent,”  says 
Lesley  Tolman,  director  of  net¬ 
works  and  telecom  at  Tufts 
University  in  Medford, Mass.Those 
three  qualities  alone  make  us  look 
at  CALEA  very  critically. We  take  its 
implications  very  seriously’ 

Cost  is  only  one  concern  univer¬ 
sity  officials  have  regarding 
CALEA  compliance.  Others  are 
that  opening  networks  to  wiretap¬ 
ping  provides  another  conduit  by 
which  hackers  could  infiltrate  a 


network,  and  that  institutions  of 
higher  education  and  research 
are  particularly  squeamish  about 
anything  perceived  as  a  possible 
compromiser  of  privacy  and  free¬ 
dom  of  speech  and  research. 

“There  may  be  some  concern 
about  hindering  research,”  Jones 
says.“There’s  research  funded  by 
corporations  or  whomever  that 
is  very  competitive  and  has  to  be 
guarded  closely.  There  are 
patents  involved,  a  lot  of  money 
and  a  lot  of  years  spent  on  vari¬ 
ous  projects.” 

“With  any  broadening  of  federal 
power,  sometimes  those  kinds  of 
issues  hang  in  the  balance,”  Tol¬ 
man  says.  “There’s  an  additional 
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level  of  skepticism  that  gets 
applied  to  an  analysis  of  a  situa¬ 
tion  when  we’re  talking  about 
broadening  or  deepening  federal 
powers  of  surveillance.” 

Wigen  says  talks  are  ongoing  be¬ 
tween  Educause  and  other  high¬ 
er-education  associations  and  the 
Department  of  Justice,  in  an  effort 
to  reach  a  wiretapping  compro¬ 
mise  that  would  not  be  as  finan¬ 
cially  burdensome  —  or  an  all-out 
exemption.  Offers  of  compromise 
by  Educause  include  changing 
out  only  the  gateway  router  to  the 
service  provider,  which  Wigen 
says  is  turned  over  at  regular 
maintenance  intervals  anyway  “If 
we  did  it  in  the  natural  replace¬ 
ment  cycle,  that  would  not  be  too 
terribly  burdensome,”  she  says  of 
that  option. 

Some  of  the  worst-case  scenar¬ 
ios  being  mulled  by  the  Justice 
Department,  she  says,  include 
making  all  equipment  down  to 
laptops  CALEA-compliant.  That 
would  be  the  most  expensive  and 
burdensome  option  for  schools. 

The  best-case  scenario  would 
be  an  all-out  exemption,  which  is 
what  the  ACE  vs.  FCC  petition 
seeks.  It  argues  Congress  10  years 
ago  exempted  Internet  “informa¬ 
tion  services”  from  CALEA  and  the 
FCC  has  no  right  to  reverse  that. 

Educause,  one  of  the  petition¬ 
ers,  expects  a  ruling  from  the 
court  by  the  end  of  the  summer. 
The  Justice  Department  referred 
requests  for  comment  to  its  for¬ 
mal  responses  posted  on  the  FCC 
and  AskCALEA  Web  sites. 

“[Department  of  Justice]  notes 
that  it  is  willing  to  work  with  repre¬ 
sentatives  of  certain  classes  of  ser¬ 
vice  providers,  such  as  schools, 
libraries  and  research  networks, 
on  solutions  that  would  apply  to 
narrowly  tailored  and  well- 
defined  categories  of  providers 
and  would  clearly  identify  suffi¬ 
cient  alternative  means  of  address¬ 
ing  the  needs  of  law  enforcement,” 
the  Justice  Department  replied  in 
a  comment  dated  Dec.  21,  2005. 
The  department  continues,  “argu¬ 
ments  about  exemptions  being 
justified  by  the  alleged  costs  of 
CALEA  compliance  should  also 
be  examined  critically.  Service 
providers’  arguments  have  glar¬ 
ingly  lacked  specifics.” 

These  same  challenges  could 
befall  enterprise  networks,  or 
effectively  any  organization  that 
provides  facilities  to  connect  its 
constituents  to  the  Internet.Accor- 
ding  to  the  Enterprise  Network 
Technology  Users  Association 


(ENTUA),  however,  CALEA  is  not 
first  and  foremost  on  the  minds  of 
enterprise  network  executives. 

“I  don’t  think  it  was  something 
on  our  radar  screen,”  says  Jay 
Shell,  acting  chair  of  ENTUAs  gov¬ 
ernment  issues  and  policy  com- 
mittee.“Once  I  did  look  into  it,  my 
interest  was  piqued,  particularly 
from  what  my  business  is,  which  is 
debt  collection.  So  there  could  be 
some  ramifications  there  that  I 
need  to  pay  attention  to.” 

Some  analysts  who  consult  for 
companies  say  CALEA  and  wire¬ 
tapping  are  currently  non-issues. 

“Ninety-nine  percent  of  the 
enterprises  I  work  with  don’t  have 
any  idea  what  CALEA  actually  re¬ 
quires  in  the  broadest  sense,  let 
alone  of  them,”  says  Johna  Till 
Johnson  of  Nemertes  Research 
and  a  Network  World  columnist.“I 
haven’t  heard  a  single  enterprise 
come  back  and  say, ‘Hey,  what  do 
we  need  to  do  about  CALEA?”’ 

Johnson  says  enterprises  are 
more  concerned  with  a  broader 
set  of  risks,  such  as  exposure  of 
confidential  or  sensitive  data  by 
external  infiltrators.  That’s  not  to 
say  companies  shouldn’t  be 
aware  also  of  the  implications  of 
electronic  eavesdropping  for  law¬ 
ful  and  unlawful  purposes. 


“Any  time  you  can  architect  a 
system  to  be  wiretapped  by  X,  it 
can  be  wiretapped  by  Y,” 
Johnson  says.“Anytime  you  build 
in  a  security  breach  by  design, 
you  open  yourself  up  to  an  unin¬ 
tended  security  breach.” 

This  presents  a  Catch-22  for  ven¬ 
dors  as  well.  The  $7  billion  up¬ 
grade  figure  presented  by  Edu¬ 
cause  no  doubt  has  them  salivat¬ 
ing.  But  providing  another  po¬ 
tential  conduit  for  hackers  in 
their  products,  or  stunting  privacy 
and  freedom  of  research  could 
lead  to  some  embarrassing  and 
disruptive  episodes. 

Sources  say  industry  leader 
Cisco  is  passionately  debating 
these  issues  internally.  Repeated 
requests  for  interviews  with  Cisco 
public  policy  and  legal  officials 
were  fruitless. 

The  only  comment  a  Cisco 
spokesman  would  offer  is  that  the 
company  intends  to  comply  with 
CALEA.  Cisco  already  has  pub¬ 
lished  an  informational  IETF  RFC, 
No.  3924,  on  an  “architecture  for 
lawful  intercept  in  IP  networks.” 
(www.nwdocfinder.com/3258). 

Juniper  Networks  also  declined 
a  request  for  an  interview  about 
CALEA.  Nortel  did  not  reply  by 
press  time.* 


“It  seems  to  be  at  some  point  it  will 
have  to  apply  to  us  because  we  look 
somewhat  like  an  ISP  to  the  university.” 

Brian  Jones,  manager  of  network  engineering ,  Virginia  Tech  University 
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I  WAS  ABLE  TO  GET  MY  COMPANY 


BACK  UP  IN  A  MAHER  OF  HOURS, 


NOT  DAYS.” 


—  Brian  Finley,  CTO 
PSS/World  Medical  Inc. 


When  it  comes  to  being 
prepared  for  unplanned  IT 
interruptions,  you  need  to 
know  your  systems  are  either  always 
available  or  can  be  quickly  recovered. 
That’s  where  SunGard’s  Information 
Availability  solutions  can  help.  We 
deliver  the  secure  data,  systems, 
networks  and  support  you  require  to 
help  your  business  stay  in  business. 
Because  your  employees,  suppliers 
and  customers  rely  on  you  to  be 
available  every  minute  of  every  day, 
you  need  continuous  access  to 
information  no  matter  what  —  you 
need  Information  Availability. 

For  over  25  years,  businesses  have 
turned  to  SunGard  to  restore  their 
systems  when  something  went  wrong. 
So,  it’s  not  surprising  that  they  now 
turn  to  us  to  give  them  options  to 
make  sure  they  never  go  down  in  the 
first  place.  Plus,  SunGard  offers 
solutions  that  let  you  remain  in  control 
of  your  IT  environment  and  enjoy  the 
flexibility  required  to  adjust  to  the 
changing  needs  of  your  business. 


SunGard  has  a  wide  range  of  solutions  to  meet  your  enterprise-wide  requirements.  Here  are  just  a  few  of  those  solutions: 


Server  Replication  solutions  allow  you  to  minimize  data  loss  and  recovery  time  for  your  Microsoft®  Windows®-based 
applications.  If  your  server  is  unavailable,  for  whatever  reason,  you  can  have  a  fast  and  easy  recovery  of  replicated  servers 
located  at  a  SunGard  facility.  When  your  applications,  such  as  databases,  e-mail  and  file  servers,  need  to  be  recovered 
in  less  than  24  hours,  Server  Replication  gives  you  data  center  redundancy  without  the  high  cost  of  building  your  own 
secondary  facility. 

E-Mail  Availability  Service  helps  companies  ensure  that  their  electronic  communications  are  readily  available  across  the 
enterprise  despite  situations  that  impact  the  availability  of  servers,  software,  work  facilities  or  staff.  SunGard’s  E-Mail 
Availability  Service  can  have  you  back  up  and  running  in  less  than  a  minute. 

Hosted  Exchange  Service  can  help  you  to  offload  the  complex  management  of  Microsoft®  Exchange®  servers,  licensing  and 
patch  management.  SunGard  customers  can  also  recognize  a  lower  total  cost  of  ownership*  for  their  e-mail  install  base. 

System  Recovery,  Mobile  Recovery,  Network  Recovery  and  End-User  Recovery  Services  help  you  get  back  up  quickly  when 

disaster  strikes. 


Your  job  is  to  keep  systems  and  applications  running.  Our  mission  is  to  keep 
people  and  information  connected.  Let’s  work  together.  To  learn  more,  contact  us 

at  1-800-468-7483  or  go  to  www.availability.sungard.com/masteria  and  get  your 
free  copy  of  the  book  "Mastering  Information  Availability.” 

‘The  Radicati  Group.  Radicati  White  Paper  “Microsoft  Exchange  2003  Total  Cost  ot  Ownership." 
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The  U.S.  Federai  Government  has  mandated 
the  adoption  of  the  New  Internet  (Internet 
Protocol  version  6,  or  IPv6),  the  massive 
upgrade  of  the  existing  IPv4  standard,  in 
use  since  1973.  The  transition  to  IPv6  offers 
major  opportunities  -  and  challenges  -  for 
every  Federal  department,  which  will  be 
identified  and  discussed  by  experts  in  this 
unique  conference. 

The  Federal  IPv6  Summit  will  feature  senior 
political  and  military  leaders,  IT  organization 
executives,  ISPs  and  first  responders  -  who 
will  identify  their  visions  of  how  the 
government  will  benefit  from  IPv6,  how  this 
transition  will  take  place,  and  what  roles 
industry  should  pursue. 

federalipv6summit.com 


This  is  a  must-attend  event, 
especially  for  those  working 
for  or  in  support  of  the  US 
Federal  government. 

There  will  also  be 
demonstrations  of  new 
IPv6  applications,  including 
up-to-the-  minute  reports 
on  the  first  IPv6/WLAN  city 
in  America! 

MORE  INFO: 

TEL:  310.458.9407 
EMAIL:  info@usipv6.com 
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General  (R)  Dennis 
Reimer 

Fmr.  Chief  of  Staff,  US  Army 


Senator  John  Warner 

Chmn.,  Armed  Services 
Committee  (invited) 


Dr.  Ralph 
Wyndrum,  Jr. 

President,  IEEE 


Dr.  John  McManus 

CTO, NASA 
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Tim  Schmidt 

CTO,  Dept,  of 
Transportation 


Dr.  Henry  Kelly 
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Intel,  AMD  chips  add 
advanced  features 


BY  JENNIFER  MEARS 

Recognizing  that  clock  speed  is  no  longer 
a  strong  selling  point,  Intel  and  AMD  are 
enhancing  their  x86  processors  with 
embedded  features  such  as  virtualization 
and  management  tools  meant  to  take  the 
heavy  lifting  off  the  software  that  handles 
such  tasks  today. 

On  the  server  side,  for  example,  there  has 
been  a  lot  of  talk  about  virtualization  capa¬ 
bilities  that  will  be  embedded  into  proces¬ 
sors  to  enable  software  such  as  VMware 
and  Xen  to  run  better.  The  shift  also  is  hap¬ 
pening  on  the  desktop. 

Intel’s  vPro  business  desktop,  which  was 
announced  last  week  and  is  expected  to 
begin  shipping  in  the  third  quarter,  is  a 
good  example  of  what  users  will  be  able  to 
do  with  systems  thanks  to  new  hardware- 
based  technologies. 


integrity  of  the  operating  system  that  they’re 
trying  to  manage,  and  most  of  the  time  the 
reason  you  want  to  manage  something  is 
because  the  operating  system  is  broken. 
Intel  is  breaking  that  link  with  these  new 
systems.” 

AMD  also  is  heading  in  that  direction.“But 
they’re  not  quite  there  yet,”  Reynolds  says, 
adding,  “1  don’t  think  it  will  take  long  for 
AMD  to  catch  up  and  produce  something 
similar” 

AMD  plans  to  integrate  virtualization 
capabilities  into  its  processors  in  the  sec¬ 
ond  half  of  the  year,  says  Simon  Solotko, 
product  manager  for  commercial  desktops 
at  AMD.  As  for  management  tools,  AMD  is 
focusing  on  the  Alert  Standards  Forum 
(ASF7)  2.0  specification,  a  hardware-based 
management  standard  created  by  the 
Distributed  Management  Task  Force  to 


The  business  PC 

Intel  is  targeting  corporate  PCs  with  its  vPro  technology,  expected  in  the  third 
quarter.  Key  features: 

•  Reduced  heat:  A  low-power-consuming  dual-core  processor,  code-named  Conroe. _ 

•  Easier  management:  Intel  Active  Management  Technology  to  discover,  diagnose  and  repair  PC  problems 

remotely  even  if  the  device  is  turned  off  or  has  crashed  and  to  isolate  infected  PCs  from  the  network, 
when  necessary.  _  _  _ _ _ _ 

•Tighter  security:  Intel  virtualization  technology  to  enable  hardware-based  partitions  to  contain  application 
services  such  as  virus  scanning  that  are  invisible  and  isolated  from  users. 


The  vPro  package  will  deliver  three  bene¬ 
fits:  low  IT  maintenance  costs,  high  security 
and  better  energy  efficiency  Intel  President 
and  CEO  Paul  Otellini  said  at  a  press  con¬ 
ference  in  San  Francisco  announcing  vPro. 

The  systems  will  be  built  on  Intel’s  next- 
generation  desktop  processor,  code-named 
Conroe.  With  Conroe,  the  systems  will  have 
virtualization  technology  hardwired  into 
the  silicon,  meaning  that  desktops  can  be 
partitioned  into  isolated  hardware  environ¬ 
ments.  As  a  result, software  services, such  as 
virus  scanning,  will  be  able  to  run  in  a  pro¬ 
tected,  isolated  environment  outside  the 
core  operating  system.  Today  desktops  can 
be  virtualized,  but  only  through  software 
from  such  vendors  as  VMware. 

In  addition,  the  vPro  chipset  will  include 
Intel  Active  Management  Technology. This 
hardware-  and  firmware-based  technolo¬ 
gy  will  let  IT  professionals  more  easily 
manage  and  monitor  desktop  devices, 
even  if  the  devices  in  the  middle  of  a 
crash,  analysts  say. 

“It’s  really  the  next  step  in  the  evolution  of 
desktop  management  systems,”  says  Martin 
Reynolds,  a  vice  president  at  Gartner. 
“Today,  management  systems  rely  on  the 


enable  customers  to  remotely  monitor  and 
repair  heterogeneous  PCs. 

HP  and  Dell,  along  with  software 
providers  such  as  Altiris,  also  have  come 
out  in  support  of  this  standard. 

“ASF  2.0  was  the  first  in  hardware-based 
manageability^  Solotko  says.'AMD  is  choos¬ 
ing  an  industry-standard  approach,  while 
Intel  is  taking  a  proprietary  approach.” 

Regardless  of  the  approach,  Reynolds 
says  the  trend  toward  creating  a  hardware 
platform  for  PC  manageability  will  be 
important  for  users,  who  face  their  biggest 
PC  costs  in  managing  the  devices. 

“For  enterprises,  the  cost  of  the  desktop 
isn’t  that  much,”  he  says.  “It’s  more  the  cost 
of  the  operations  that  concerns  them.” 

Intel  plans  to  put  a  small  vPro  sticker  on 
each  desktop,  just  as  it  labels  notebooks 
with  Centrino  stickers  today 

IDG  News  Service  Correspondent  Ben 
Ames  contributed  to  this  report. 
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Darwin  and  spam 


“In  the  struggle  for  sur¬ 
vival,  the  fittest  win  out  at 
the  expense  of  their  rivals 
because  they  succeed  in 
adapting  themselves  best 
to  their  environment.” 

—  Charles  Darwin 


According  to  a  recent  CipherTmst  study  consumers  re¬ 
spond  to  and  spend  money  on  5%  of  spam  messages 
that  link  to  porn  sites.Thats  in  contrast  to  the  0.025% 
response  rate  generated  by  pharmaceutical  spam  and 
the  0.0075%  rate  for  spam  hawking  Rolex  watches  and 
the  like. 

Why  is  this?  Because  evolution  has  made  us  more 
interested  in  sex  than  in  medicine  or  fashionable  time¬ 
keeping.  It  is  all  about  what  ensures  greater  survival. 

But  spam  and  Darwinian  evolution  are  more  inter¬ 
linked  than  that.  A  few  weeks  ago  I  blogged  about  the 
Federal  Trade  Commission  (FTC)  and  the  state  of 
California  taking  to  court  Qing  Kuang  “Rick”Yang  and 
Peonie  Pui  Ting  Chen  for  an  enormous  spamming  busi¬ 
ness  that  generated  mail  under  various  names,  includ¬ 
ing  Optin  Global, Vision  Media,  USA  Lenders  Network, 
USA  Lenders  and  USA  Debt  Consolidation  Service  (see 
www.nwdocfinder.com/3256  and  3257  for  more  details). 

The  case  resulted  in  a  deal  in  which  the  defendants 


didn’t  admit  any  wrongdoing  but  were  fined  $475,000  and 
agreed  to  refrain  from  illegal  activity  and  to  monitor  their 
affiliates  more  closely 

This  was  a  victory  of  sorts  for  the  CAN-SPAM  legisla¬ 
tion,  as  well  as  for  consumer  activism,  because  what 
motivated  the  FTC  to  take  the  Optin  Gang  to  court  was 
consumers  sent  in  more  than  1.8  million  examples  of 
the  defendants’  spam.  As  this  spam  violated  almost 
every  provision  of  the  CAN-SPAM  Act,  the  FTC  decided 
to  do  something  about  it. 

I  concluded  my  blog  entry  with  a  thought  concerning 
the  Darwinian  forces  involved.  In  this  case  a  species, 
Optingangus  Aggravatus  (a  member  of  the  Spammerus 
family),  found  a  niche  and,  like  all  animals  that  intend 
to  survive  and  prosper,  went  about  exploiting  it. 

The  problem  was  that  the  Optin  Gang  became  too  big 
for  its  niche.  It  managed  to  set  itself  up  to  be  detected 
by  the  FTC. The  FTC,  acting  like  predators,  picked  it  off. 
Score  one  for  the  forces  of  nature. 

Unfortunately,  Darwinian  forces  keep  pushing  things 
along,  so  there  are  plenty  of  other  members  of  the 
Spammerus  family  around  to  jump  into  the  void  left  by 
the  removal  of  the  Optin  Gang.  Its  disappearance  simply 
leaves  more  of  the  niche  for  other  spammers  to  capital¬ 
ize  on  and  to  do  so  with  less  competition  and  more 
knowledge  of  where  the  dead  species  went  wrong. 

In  other  words,  every  time  we  get  rid  of  a  spammer 


we’re  opening  the  doors  for  new  players  to  enter  the 
market  and  evolve  so  that  they  adapt  to  their  environ¬ 
ment  more  successfully.  We  are  breeding  better  spam¬ 
mers. 

Part  of  the  problem  arises  because  we’re  picking  off 
only  the  biggest  spammers.  When  they  disappear,  smaller 
spammers  get  a  larger  market  and  become  more  suc¬ 
cessful. This  gives  them  more  of  a  reason  to  stay  in  busi¬ 
ness.  Their  success  will  lure  others  into  the  game,  ensur¬ 
ing  that  new  spam  operations  are  always  taking  the 
place  of  those  that  die  or  get  killed  off. 

What  can  we  conclude  from  this?  First,  there  will 
always  be  new  spammers  because  the  rewards  are  great 
enough  to  make  it  worthwhile.  Second,  below  a  certain 
size  (the  spam-volume  event  horizon)  spammers  are 
too  small  to  face  a  liability  more  serious  than  their  ISP 
cutting  them  off. Third,  spammers  that  get  big  have  to 
get  smart  if  they  are  to  survive. 

The  problem  is  that  the  cost  of  finding  and  prosecut¬ 
ing  these  spammers  is  enormous.  And  picking  off  only 
the  biggest  is  fostering  the  evolution  of  more-wily  spam 
operators,  who  will  cost  even  more  to  prosecute. 

Perhaps  the  answer  is  to  stop  prosecuting  and  thereby 
slow  evolution. 

Click  through  to  Gibbsblog  or  sound  off  to  backspin@ 
gibbs.com.  PS.  Darwin  was  adopted. 
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News,  insights  and  oddities 


Can’t  find  a  domain  name?  . . .  Here’s  why 


Paul  McNamara 


Chances  are  good  that  you’ve  never  heard  of  the 
add/drop  scheme,  so  dubbed  by  GoDaddy  CEO  Bob 
Parsons.  But  if  you've  recently  struggled  to  find  a  decent 
.com  domain  name  or  paid  a  king's  ransom  to  regain  control  of  one  your  organization 
forgot  to  renew,  the  chances  are  also  good  that  you  have  been  victimized  by  this  grow¬ 
ing  blight. 

Adding  insult  to  injury,  it's  all  legal  and  within  the  rules  as  set  by  ICANN  —  a  situa¬ 
tion  that  needs  to  change.  Parsons  spells  out  the  details  in  a  blog  post  that  you  can 
access  through  www.nwdocfinder.com/3252. 

At  the  heart  of  the  add/drop  scheme  is  a  seemingly  reasonable  five-day  grace  period 
that  domain  registries  allow  all  customers:  Claim  a  name,  and  you've  got  five  days  to 
kick  it  back  into  the  pool  without  having  incurred  a  penny  of  expense  —  your  deposit 
money  is  returned  in  full.  It  was  originally  seen  as  a  way  to  guard  against  buyer’s  re¬ 
morse,  simple  mistakes  and  fraudulent  registrations. 

What’s  happened  is  that  the  grace  period  has  spawned  one  of  those  Internet  “busi¬ 
nesses"  where  the  clever  —  some  might  call  them  the  unscrupulous  —  swoop  in  to 
skim  profits  without  adding  anything  meaningful  in  the  way  of  value. 

The  schemers  are  locking  up  millions  of  domain  names  every  day, 
wringing  five  days'  worth  of  revenue  from  them  via  a  handful  of  sub¬ 
schemes  and  then  kicking  back  all  but  a  tiny  fraction  just  before  the 
grace  period  expires. . . .  Think  of  it  as  Internet  strip  mining. 

The  numbers  parsed  by  Parsons  are  nothing  short  of  astonishing: 

*  At  any  given  moment,  about  3.5  million  domain  names  are  tied  up 
n  add/ drop  limbo  instead  of  being  made  available  to  those  who  would 
otherwise  claim  and  use  them. 

•  During  the  week  of  March  27  to  April  2,  for  example,  92%  of  the 
approximately  5.4  million  names  registered  were  returned  fora  full 
refund  —  and  99%  of  the  returns  came  from  add/drop  players. 


RECENTLY  IN  BUZZBLOG 

McNamara’s  online  archive: 

www.nwdocfinder.com/1032 

■  Google  gives  Firefox  a  big 
push. 

■  E-mail  rules:  Does  anyone 
write  longhand  letters  any¬ 
more? 

■  An  off-topic  rant  about  gas 
prices  and  the  TV  news. 


•  The  number  of  grace-period  .com  drops  increased  15-fold  from  March  2005  (1.85 
million)  to  March  2006  (27.7  million). 

The  trend  should  be  setting  off  alarm  bells  throughout  the  Internet  industry,  says 
Peter  Alguacil,  an  analyst  at  Ipwalk,  which  tracks  statistical  trends  on  the  'Net. 

“If  this  is  allowed  to  continue,  within  a  year,  more  than  60  million  domain  names  will 
be  added  and  dropped  every  month.  Almost  all  of  these  domain  names  will  be  part  of 
the  add/drop  scheme,”  Alguacil  says.  "This  will  cause  enormous  costs  for  registries 
and  make  legitimate  domain  name  business  close  to  impossible." 

GoDaddy’s  Parsons  says  the  answer  to  the  problem  is  quite  simple,  albeit  perhaps 
easier  said  than  done.  His  proposed  solution  is  to  make  non-refundable  a  25-cent 
deposit  on  domain  names  that  is  already  paid  to  ICANN  every  time  a  registration 
sticks  beyond  five  days.The  theory  here  is  the  same  as  with  anti-spam  measures 
that  seek  to  make  everyone  put  some  skin  in  the  game;  under  such  conditions  those 
who  aren’t  providing  any  real  value  cannot  expect  to  reap  any  return.  Instead,  they 
will  quit  the  game. 

“There  is  a  small  problem  with  this  approach,"  he  concedes.  “ICANN  is  a  consensus- 

_  based  organization,  and  of  course  many  registrars  are  participating  in 

the  add/drop  scheme.  It  will  be  interesting  to  see  how  ICANN  steps  up 
to  handle  this  problem  now  that  it  is  in  the  light.” 

I  put  the  question  to  ICANN.  A  public  relations  representative 
promised  me  an  e-mail  response  or  an  interview  with  an  ICANN  offi¬ 
cial,  but  as  of  this  writing,  neither  has  arrived. 

Whether  the  organization  adopts  Parsons’  proposal  or  conjures  up  a 
fix  of  its  own,  this  much  appears  to  be  certain:  Someone’s  got  to  put  a 
stop  to  this  nonsense. 


See  things  differently?  Have  a  solution  of  your  own?  The  address  is 
buzz@nww.  com. 
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NetVanta  7100 
Integrated  IP  PBX,  Voicemail, 
Auto  Attendant  Router,  24-port 
PoE  Switch,  VPN,  Firewall 

ADTRAN  offers  a  broad 
range  of  IP  phones  to 

/meet  your  business 
communication  needs 


The  ADTRAN  NetVanta®  7100  is  the  newest  addition  to  our  field- 
proven  suite  of  NetVanta  switches,  routers  and  VPN/Firewall  solutions, 

This  new  IP  PBX  with  integrated  switch-router — an  Office  in  a  Box — 
provides  a  complete  solution  for  growing  small  and  medium 
■  businesses.  Your  office  communications  can  be  up  and  running 
quickly  and  smoothly  with  this  converged  IP  platform. 


A  NetVanta  7100: 

A  phone  system  and 
data  network, 

all  in  a  single  device 


Imagine  a  comprehensive  telephony  and  data  networking 
solution  that  consolidates  voice,  data,  Internet  and  security 
all  in  a  single  device. 


High  costs  for  communications  are  now  a  thing  of  the  past. 

.  -  .  •  - 

With  ADTRAN,  you  can  easily  lower  your  total  cost  of  ownership.  Every 
NetVanta  includes  ADTRAN ’s  1 00%  satisfaction  guarantee,  backed 
by  industry-leading  technical  support  (before  and  after  the  sale), 
free  firmware  upgrades,  and  a  full  5-year  warranty. 


www.adtran.com/ipt 

1.800  9ADTRAN 

(923-8726) 


The  Network  Access  Company 
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with  the  amount  of  money  wasted  by 
non-AMD  powered  servers. 


How  long  have  you  been  putting  up  with  servers  that  waste  power  waste  money,  and  thanks  to  slow  performance  waste 
everyone’s  time?  Now  you  can  make  your  data  center  the  coolest  room  in  the  building  without  replacing  your  existing 
power  and  cooling  envelope.  AMD  Opteron™  processor-based  servers,  on  the  other  hand,  are  designed  to  run  efficiently 
run  cool,  and  thanks  to  dual-core  technology  deliver  increased  performance. To  learn  more  about  maximum  performance, 
cost  savings,  and  the  power  of  cool  visit  www.amd.com/lessenergy 
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